For garbage collection we use essentially TTL+extend-on-touch semantics. As long as you see clean builds at a faster rate than your TTL this should have the effect that all relevant actions are seen at least once and won't be collected.
We've considered doing something with transitive data dependencies a couple times, but it never seemed tractable to pursue - along with the issues Ulf raised there's a data volume problem, where each blob has probably 10s or hundreds of direct ancestors and inordinately many indirect ones; many blobs (including toolchains and the empty blob) will be a data dependency for millions or possibly billions of others. So a forward graph would be nearly impossible to store.
A reverse graph of blob to known ancestors sounds more plausible, but I don't think it is in practice - consider a linked binary that takes a bunch of object files, strips out most of the data, and produces a relatively small output binary. Various changes to source files can be made that don't affect the final output, since their contents gets stripped out of the final binary. Which means this output blob now has a logical reverse dependency on every possible link action since there was a last "meaningful" change, possibly going arbitrarily far back in time...any one of those actions could produce the blob, but you don't know which is relevant to current builds just from data dependencies alone.
(Or worse, imagine an action that takes a binary as input and produces a blob containing 'OK'. That 'OK' blob would have a potential data dependency on every version of that binary ever, and all transitive actions above it).
For signing purposes, the transitive closure of data available to the builder is more informative anyways - the source tree at whatever hash, versions of any repositories pulled, etc. Reverse engineering that from blobs seems way harder than propagating trustable information forward...at the end of the day the blob dependency closure is going to end at "pure inputs" uploaded by bazel anyways, and you still need something to map those back to what they logically are and where they came from to get a useful signal for your signing system to infer anything from.