I was presenting a puzzle/conundrum/whatever here. It's a problem I've seen since my use of PGP in the early 90's and one problem that so many people have faced. I don't have a good solution, but it's something that I think should be debated more and discussed.

A risk analysis makes sense, but how do you determine the risk of losing backup or mdf/ldf files? Apart from putting your thumb up in front of some scale and making a WAG. (wild guess)

It's unlikely that your files get stolen. However, if they do it's a problem. So how much effort is worth putting in? Hard to tell and if you're going to put in the effort with TDE or encrypted Litespeed/SQLBackup/SQLSafe backups, then how do you manage the keys/passwords? Not an easy thing to do.