You say "requiring by default". That makes no sense in this context (or most) - you can either require something (which is not "by default") or you do not (at which point you can encourage something as strongly as you like, but it's still not required).

The github issue is quite clear about "requiring", not "by default", which is a restriction on what someone does with their own data. Particularly since AFAICT there is still no spec for data exchange over flat files. CXP is a probably-reasonable more-safe option to encourage, but it really shouldn't be the only option.

(arguably CXF only defines non-encrypted files, since it doesn't even recommend encryption options or provide a way to communicate what was used, except to say that it "MUST" encrypt or coordinate over CXP)

Hi! I have no issue with having the backup being encrypted by default, except the discussion returns again and again to disallowing any cleartext export, even when specifically requested by the end user.

And on a separate note, I fundamentally disagree for political reasons with the idea that the websites should be able to block specific passkey providers.