Well to avoid the problem of people potentially forgetting their password to decrypt their PM's the forum could automatically encrypt PM's sent to someone using javascript, users would then store the private key locally, outside of their browser in order to decrypt the message. If PGP is used, and the user is using
GPGTools as their PGP client, and their private key is stored locally, then decrypting it would be as arbitrary as highlighting text and making two clicks (and entering your passphrase).
In theory, the javascript could be modified so that whenever someone enters their password to decrypt a PM that the password is transmitted to either the forum or a third party attacker which would essentially allow them to decrypt any PM for that user.
I think the PM encryption system shouldn't be dependant on any software other than a standard web browser as a lot of users won't install the third party tools and thus a lot of users won't turn on PM encryption. The idea is this system will be used for most messages as an extra layer of security, anything private should be encrypted with PGP or something similar, if most people don't turn it on it is completely useless.
I disagree with theymos and actually think that forgetting your password is a feature. Anyway in your case losing your private key is the same as forgetting your password, and if you use default GnuPG settings and encrypt your private key, should you forget the passphrase for that you'll still lose your private key and as a result, your PM's. Users who fear they may lose their PM's due to forgetting a password should backup their PM's.
You are right that the JS can be modified, I mentioned above one solution is to copy blockchain.info's solution which was to use a browser addon to verify the JS. Users worried about the JS being modified can install the addon, however it should be optional.
Well with blockchain.info/wallet if your password is compromised then you can simply move your funds to another address that is not compromised (hell you can create a new bc.i wallet with a better password). With having a private key that is decrypted in the browser if your password is compromised and the password protected private key is stored by the forum (I think it would have to be) then it would not be possible to protect the privacy of your PM's. If the passphrase to my PGP private key is compromised (but not the private key itself) then I can simply change the passphrase to my PGP private key (I think this is possible- you could have it temporarily in decrypted format then re-encrypt it with a new passphrase (then obviously securely delete all old copies of your PGP private key).
Having the forum automatically encrypt your PM's to the recipients' PGP public key allows the person receiving the message to choose their own level of security. You are right that less people will use it if it is dependent on any third party software, however the forum can only hold people's hands so much when it comes to security/privacy.
One thing that I could suggest (that I am sure will not be implemented - at least not for this forum) is that the forum could try to detect if PGP is being used and if not, it will not let you send the PM. Another option is to try to detect if PGP is being used and if not then giving a warning that their communication is not secure and that others may be able to see it in the future