I thought this argument, from the blog post <https...
# general
Yes, no longer correct. I don't know about transactional checkpointing, but locking is now sorted for all backends.
State as a whole isn't encrypted, and I believe that's by design. Secret values are encrypted within the state. You can restrict access to the state in other ways, and anyone who can interact with the state (that is, anyone who can run Pulumi) can dump the state locally, so encrypting it in its normal location is moot.