Well to avoid the problem of people potentially forgetting their password to decrypt their PM's the forum could automatically encrypt PM's sent to someone using javascript, users would then store the private key locally, outside of their browser in order to decrypt the message. If PGP is used, and the user is using
GPGTools as their PGP client, and their private key is stored locally, then decrypting it would be as arbitrary as highlighting text and making two clicks (and entering your passphrase).
In theory, the javascript could be modified so that whenever someone enters their password to decrypt a PM that the password is transmitted to either the forum or a third party attacker which would essentially allow them to decrypt any PM for that user.
I think the PM encryption system shouldn't be dependant on any software other than a standard web browser as a lot of users won't install the third party tools and thus a lot of users won't turn on PM encryption. The idea is this system will be used for most messages as an extra layer of security, anything private should be encrypted with PGP or something similar, if most people don't turn it on it is completely useless.
I disagree with theymos and actually think that forgetting your password is a feature. Anyway in your case losing your private key is the same as forgetting your password, and if you use default GnuPG settings and encrypt your private key, should you forget the passphrase for that you'll still lose your private key and as a result, your PM's. Users who fear they may lose their PM's due to forgetting a password should backup their PM's.
You are right that the JS can be modified, I mentioned above one solution is to copy blockchain.info's solution which was to use a browser addon to verify the JS. Users worried about the JS being modified can install the addon, however it should be optional.