As noted by others, the encryption of user data when at rest on the server is critical. This server becomes the central location that stores all data from all clients (sensitive data or not). This of course makes the backup server a huge liability for data breach.
Especially in the case of people who were using the free P2P backup options of CrashPlan, the data is likely on servers that are not under full control (physical and logical security). This could be a friends computer or a VPS somewhere.
Having application specific encryption with its own passphrase, encrypted at the client would solve this.
I think, as also mentioned, many people are OK with losing some space savings of dedup when this feature is enabled.
As for the encryption key, I think one that is generated from a passphrase might be useful and easier to keep track of than a key file on the client.