Encrypt profiles stored to iCloud

[keeshux]

Now possible with iOS 15 target, but from:

https://developer.apple.com/documentation/cloudkit/encrypting_user_data

The encrypted fields can’t have indexes because the server can’t read the fields. The encrypted fields also have to be newly introduced to an existing record or a new record. You can’t convert existing unencrypted fields in the CloudKit schema.

Therefore it must be a new field. As to Core Data:

https://developer.apple.com/documentation/coredata/nsattributedescription/3746827-allowscloudencryption

Set this property to true to store the attribute’s value in an encrypted form in iCloud. Only use this property with new attributes. Core Data doesn’t support encrypting attributes that already exist in your CloudKit schema, or attributes that represent relationships between entities.

TL;DR Add new encryptedJSON field with fallback to json.

Going forward, persist profiles encrypted to the CloudKit container. Conversely, read from the encrypted field if any, falling back to the plain JSON field. This is a requirement until full migration is implemented.

WARNING: the change is NOT backward compatible, as it would defeat the purpose. That is, once the profile is stored encrypted, the old plain profile is erased and its content won't be readable by older versions of the app.