Vendors can decrypt ciphertext entirely in RAM, the same place the plaintext will be when they view a plaintext message sent to them over SR. The difference is that when customers send a plaintext message it is in plaintext on persistent memory on the SR server, in either case it is in plaintext in the vendors RAM. Also I do not believe at all that vendors are much more likely to have their computers seized than the central SR server is be seized. Not to mention the keyword central, there are thousands of vendors but there is a single (or cluster of synchronized...) SR server. That means one thing needs to be compromised to get all addresses sent in plaintext, thousands of things need to be compromised to get all addresses that are sent encrypted. I don't understand the compounded risk of customers having vendor keys, unless you mean perhaps that it could fingerprint them as being a member of SR and working with said vendors. Regardless, that is what you use FDE and Truecrypt containers for.