Two years late to the April 2024 revival, but this thread directly asks a question that now has a working implementation, so it seemed worth linking.
The approach that ended up working: client-side encryption using the browser’s native WebCrypto API, storing encrypted blobs in a regular pod container alongside an opt-in plaintext RDF sidecar for indexing. The key material lives on the pod as a wrapped keystore, not on the provider’s servers. Standard AES-256-GCM for payloads, ECDH key agreement for delegation between apps.
The limitation NoelDeMartin raised in the discussion thread is real: encrypted data isn’t interoperable with apps that don’t implement the same protocol. That’s a genuine trade-off, not a solved problem — the vault is for the subset of data where you explicitly want to prioritise privacy over portability.
The SDK is open source at pod42/PDPVault-SDK — five TypeScript files, no dependencies — if anyone wants to see how the key derivation and delegation are structured, or wants to implement compatible readers in another project.