Auto-encrypt is not preferable for all the reasons listed in OP's post. I'd like it to be disabled, but not sure you can force all or most DNM users to go through with it. On the upper side, you need to encrypt address only once per vendor used and paste that same cipher-text again when ordering.

Risks:

1. with auto-encrypt you will teach users not to explicitly encryppt. Without AE there is still risk someone will paste their address into the order field, but the risk is minimised because a) they have been taught not to use it b) it will only apply after hacker or LE takeover
2. with LE takeover, it's possible they can force out the key and passphrase from vendor. There is nothing you can do about this, but I think it's in vendor's best interest to disclose those details because it is admission of crime. Very likely LE might try to replace GPG key (seen this happen for non-DNM sites after seizure). One method to protect from latter is to check if key has changed - GPG will say on import key is new or you can check Grams.

Expert info: you can check what is in public key block or message with gpg --list-packets or pgpdump -impl