Thanks so much for posting. I am not sure I understand all of this, and I haven’t had time to test it myself, but this would seem to be meaningless encryption if correct. My understanding was that by setting a password on your database, no one else would have it (Dropbox or DT), and you could be assured that the content of the sync store located in any cloud service was secure.
Until we get this sorted out, perhaps it might be worth trying SpiderOak (my preferred cloud service) instead of Dropbox for the sync store. It has zero-knowledge encryption, so ought to provide an additional layer of protection. I wonder if this would work.