The reason to put encryption at the bottom of the stack is that it helps with Hyrum's Law. Part of the reason TLS is so hard to change is that everyone can see all the data and therefore anyone on the path your package takes might make decisions based on the data. This code will break if you try to update anything (even if the thing they are observing is something that they shouldn't have been observing). By encrypting everything possible, you remove the ability for everyone in the middle to see or depend on any details of the higher layers.