Additionally from an infosec perspective, not encrypting user data on pods is a serious security fail.
It is routine to encrypt passwords, but not any other part of the database. It would make most web applications unusable. The continual encrypt/decrypt cycle would nearly paralyze a server (pod) that has more than a very minimal amount of activity (including activity federated from other pods).
Do you store the keys on the server, or do you make podmins enter the keys every time there is a reboot? Because it would certainly be hard to run most SELECT x WHERE … queries when the contents of the database are just opaque blobs.
So it is not just Diaspora that doesn’t do this. It is nearly every site anywhere.
The other question i have is Diaspora Pods & TOR? Why isn’t this being done?
That is up to the individual podmin and that person’s hosting company. Some hosting services forbid TOR. Some hosting services may allow Tor hidden services, but forbid relays or exit nodes. Tor is not a magic wand, so those who choose to host Tor services, relays, exit nodes should take the time to understand the implications of what they are doing first.
… maybe you could even have people teach users about security, things like steganography for example
Steganography is security by obscurity. As soon as someone who can intercept your messages suspects that you are using steganography, hiding secret messages within the content of other files or messages, the content of your hidden messages is in danger. Naturally, it depends on the resources available to your presumed attacker, but if you assume that a government agency or one of the large telecoms that carry the data has an interest in it, they will get the hidden message.
That being said, individual users on various pods can (and have) discussed steganography. It is definitely not something that should occupy the time of Diaspora developers (that is, D* should not add a data-hiding tool), but it is certainly of interest to some users.