"Correct" garbage collection of course requires ability to see all pointers. Upspin audit can do this in a context where there is one dominant owner. In the general global case where there are links in confidential directories to semi-public resources by other upspin users, this seems hard.
One possibility is a more shared version of audit that has a convention on how to publish lists of blocks in use. All readers of a storeserver would have to participate, at penalty of losing files.
Another idea, from the time of the original Plan 9 snapshot filesystem that Upspin builds on, is to have storage so cheap that garbage collection is not a pressing matter. It is never free, so we still want to avoid generating huge temporary files. (And hence bringing up the topic on this thread.)
I'm unclear whether our existing cloud storage does an adequate automatic job of distinguishing cold, very cheap, blocks from warmer ones with faster access and higher cost.