Here would be my ideal scenario, but it requires changes at the OS level:
During installation, Dropbox asks the OS for an encrypted read/write view of "/home/user/Dropbox". The OS confirms this with the user. The user sets up the key/password for that encryption. Done.
If Dropbox is compelled in future to try and gain access to the unencrypted view of that same folder, it would have to ask the OS permission, and the OS would ask the user.
Dropbox could also ask for an unencrypted view on the initial installation, but the user should still be allowed to specify that the view it gets is of the encrypted versions of files only. This would be entirely transparent. Dropbox would have no idea if it's getting the full view or the encrypted view.
During installation, Dropbox asks the OS for an encrypted read/write view of "/home/user/Dropbox". The OS confirms this with the user. The user sets up the key/password for that encryption. Done.
If Dropbox is compelled in future to try and gain access to the unencrypted view of that same folder, it would have to ask the OS permission, and the OS would ask the user.
Dropbox could also ask for an unencrypted view on the initial installation, but the user should still be allowed to specify that the view it gets is of the encrypted versions of files only. This would be entirely transparent. Dropbox would have no idea if it's getting the full view or the encrypted view.