Unless the SR server is compromised before the vendor marks the order In Transit, you have nothing to worry about. The chances of that happening are extremely small. The way I look at encrypting my address, it's like wearing a seat belt. The chances of being in a car accident in the next week or month or even year are pretty slim, but wearing a seat belt costs me nothing, and it could be extremely important in the unlikely event that I am in a car accident. So I wear a seat belt every time. Same with PGP. It costs you almost nothing -- ok, about 30 seconds of your time -- but in the unlikely event that the SR server is compromised, they will probably go after the low hanging fruit, the people with plaintext addresses on the server. Might as well encrypt. There are actually more dangerous aspects of this. Some vendors will send you a tracking code by SR message. That code has your address, of course, which completely nullifies encrypting it at the time of making the purchase. Further, the address is deleted from the SR server after the order is marked In Transit, so it is kept for only a day or two, but messages are stored for months after they are deleted. That's a big liability, especially for big orders that LE would be interested in. If a vendor sends tracking codes, you should instruct them not to do that, or to encrypt the codes with your public key.