Part of the threat model is that individual orgs can be compelled in various ways to turn over individual user data, and having different orgs holding their own private keys helps to mitigate this.