#[EncryptFields]Expand description
#[EncryptFields(key = "tenant:acme", fields("ssn", "items.*.diagnosis"))]
on a Serialize + Deserialize struct implements EncryptRecord:
record.seal(&vault) returns a serde_json::Value with the declared
fields sealed (safe for any durable sink); T::unseal(value, &vault)
reverses it. Use seal_with_key/KeyId::subject(...) for per-subject
keys minted at runtime (crypto-shredding granularity).