It was pointed out in
MDEV-17230 and MDEV-18601 that the InnoDB background encryption threads can't read a table's encryption key ID from the table's .frm file if the table is created with ENCRYPTED=DEFAULT set while innodb_encrypt_tables=OFF is set. If innodb_encrypt_tables=ON is set later on, then the table may be encrypted with the wrong key.
marko said we might not be able to fix this in 10.1, but we might be able to fix this in 10.2 and later.
This problem is documented here: