@keks that sounds somewhat like what I have in the v18 branch. if a message could be decrypted, it's content property is set to the plaintext, and a cyphertext: ... and private: true properties are added. Then on certain apis, the messages are "reboxed" which just means the cyphertext is copied back to content. It would be possible rebox before passing to particular plugins, but I wouldn't really consider that security unless they actually ran in a sandbox of some kind.