@mray In the LDS + HTTP signatures route, two keys are described... one for the actor profile, one for clients (which is registered with the server of the actor).

So in theory, encryption could either happen between servers, or between clients.

Of course, it's not been done yet, but I think that route is open.