v1.2 adds results C4–C6: honest false-positive rate reduced ~33× (0.569→0.017), derivational residual resolved by operational-surface scoping and commit-on-write sealing, and the independent-equivalent single-coverer finding. All earlier results unchanged and reproduce. Standard deletion checks can certify that a record is gone while the information it carried is still fully recoverable: a reworded copy passes the check untouched. This paper shows that gap is real, that data provenance closes it, and maps where the defense holds and where it does not. A companion formalization paper named the Removability Gap — the structural distance between not using a deleted datum and not being influenced by it — and proposed taint-closure removability and adversary-resistant multi-source confidence to close and audit it. This paper is the empirical validation, end-to-end, on retrieval-augmented generation over a frozen base model (Qwen3-8B and BGE-M3, exact-nearest-neighbor retrieval), with every result sealed in a tamper-evident manifest chain. The gap is real and, where the attack lands, complete: an information-equivalent paraphrase of a deleted fact evades a set-membership deletion check on all 200 targets and, where it survives retrieval, recovers the fact perfectly. Provenance closes it. On the same 200 paraphrases, set-membership detects none and retrieval-luck 34, while taint-closure — verifying by recorded lineage rather than surface form — detects all 200, at a zero false-positive rate, with a soundness theorem. Its one honest blind spot is an independently-authored equivalent it shares no lineage with, and a calibrated fusion closes that too, covering both attack types. That coverage first came at a cost the original evaluation did not measure: a roughly 57 percent honest false-positive rate, because the honest and adversarial score distributions overlap. This work discloses that cost and then removes most of it — a composition redesign that treats a channel with no applicable evidence as abstaining rather than voting "clean" cuts the false-alarm rate about 33-fold (to 1.7 percent) while holding detection at 1.0, and closes the disclosed single point of failure on the independent-equivalent attack. The remaining limits are then resolved or precisely mapped: the derivational residual proves largely a scoring artifact — restricted to substitutes that actually retrieve, the content channel covers them without lineage — and commit-on-write sealing turns a lineage-hiding provider from a silent bypass into a caught, checkable claim; the independent-equivalent defense is shown to rest on a single robust channel at every density tested. One structural limit recurs and is stated plainly: at high store density the content channels cannot always separate honest deletions from retained data within a 1 percent false-positive budget. The bottom line: the gap exists and is closable by provenance where lineage is recorded — the attack's reach is bounded, the operating cost was measured and then reduced about 33-fold, and every remaining limit of the defense is named rather than hidden.
Andre Byrd (Sun,) studied this question.