I agree with all your statements. And for every post I've seen explaining how to do this in a manner that DBAs cannot decrypt, there is another post saying if you can't trust DBAs then maybe need new DBAs.

Before I started at my last job, they'd already implemented Idera SQL compliance manager to audit activity. As long as you don't put the same DBAs you're trying to monitor in charge of this tool too, I believe it's a very good solution. .