The goal is to reduce the attack surface, and prevent incidental discovery of data. For example, I could set up a server that manages high security passwords and only grant access to a select few trusted people. I have to carefully audit how that server gets used, and who can use it, but I can let any old DBA mess around with all my encrypted data. I can throw it on any old server, I could outsource it to some cloud hosting company, it doesn't matter. That's a huge win in some industries. The only thing I need to trust now are the servers with credentials and the CryptDB software itself, I don't need to care about the data itself.