You have the ability to move, as long as Bluesky Social PBC allows it.
They hold the keys for your DID. If they don't allow you to move to another PDS, you can't move. The original theory was that you'd hold the private keys, but that's something that would hugely limit adoption so they decided to hold the keys themselves.
In terms of moving your backlog of posts to a new server, part of the issue is liability (not merely legal liability, but reputational as well). When you have a user on your platform and they're posting stuff, you're moderating them in real time. If they turn out to be a horrible troll, you've get the reports. Let's say a horrible troll has been on EvilServer and EvilServer has been ignoring the reports against them. They now want to move to your GoodServer and bring all their post history with them. As an admin of GoodServer, you can't see that everyone has been reporting this troll for years. They're now moving over lots of horrible, inflammatory, potentially illegal posts to your server.
You can register a recovery key which allows overriding the signing key. This allows users to move from an adversarial PDS. I do think Bluesky should push for more users to add a recovery key, but I also understand why they haven't.
Moderation tools arent limited to specific PDS's, labels are public. If an account has received many reports it will have been labelled by Bluesky's moderation account and other independent labellers. A PDS can check against these before allowing an account to migrate if they choose to. I'm not sure any are currently doing this, but this is something that can absolutely be improved in current implementations, not an inherent limitation of the architecture.
How to adversarial migrate: https://www.da.vidbuchanan.co.uk/blog/adversarial-pds-migrat...
*requires your own PLC key, which the vast majority of users do not have, protonmail has good prior art here (imo)
Yeah, I think Bluesky should put more effort in getting users to create their own PLC key. It's trivial for someone who knows about it to do it, but of course the average user has no idea what atproto is. They need to explain it in a user-friendly way and have a simple tool to do it.
I'm not aware of what Proton does here, I'll look into that.
When you create a proton account, they create a recovery file for you and have copy about the importance and relevance at that point in onboarding. In other words, users shouldn't have to create their own PLC key, it should be created and downloaded on device automatically. I immediately thought "this is what bluesky should have done" when that happened (proton is recent for me), because this PLC key thing always comes up.
You can add your own keys to your DID, and IIRC you can even remove bsky's keys within a given timeframe (days).
You can also opt for a did:web identity using your own domain in which case did:plc is irrelevant to you.
https://atproto.com/specs/did