The aspiration here is to hand off the management of encryption keys to the owners of a database schema; rather than the admins of the instance.

It would be useful to set the default key_id for encryption as a property of the database; rather than the instance.
i.e.

CREATE DATABASE newdb default_encryption_key_id = 100;

 ALTER DATABASE newdb default_encryption_key_id = 101;

Currently the instance needs restarting to add new keys, which are only read at startup.
Consideration should be give to how keys could be added dynamically; and how schema owners could be given the privilege to store keys for their own databases (possibly making key_id into a sequence number) would be useful.

The keystore password also needs a mechanism where it is not stored in clear.
This one is tricky with an open source product - but something like a simple an XOR using the database ID to at obfuscate the information would be an improvement.

mysql supports encrypted exports which do not seem to be a feature of mariadb. It would be good to see that approach implemented so end to end data integrity is possible.

Finally, the file_key_management plugin really should start supporting key rotation at some point. We have the option of writing our own plugins for better key storage (e.g. using HSM storage of keys like Oracle 11 offers) and to support full key rotation - but the learning curve before we could achieve that is quite high.