can a hidden service avoid storing unblinded client identities?

This assumes that we find a way to avoid having the client send its unblinded permanent identity to the server -- #4

One of the great features of TorPKI is that your onion hostname is your identity. I do not want to change this.

In the most straightforward use case, server ACLs (i.e. lists of client identities, and the privileges associated with them) will be keyed on onion hostnames (aka unblinded permanent identities).

However if an onion endpoint (e.g. a hidden website) gets hacked or exploited, we would prefer that the entire list of unchangeable identities not be instantly available to the attacker.

Perhaps it is possible to use the Tor key blinding scheme to "doubly-blind" a client's identity: once with the period-number and again with the hash of some secret which is stored offline. I haven't thought this through.