Understood. However, I would say that encrypting this sort of personal information on a per-customer basis is worth the resource hit. We shouldn't want that information cached even by accident.
Without knowing more details, I think your analysis sounds correct.
What I want to know is, why isn't this information encrypted apart from the SSL connection? There should be a public-private key pair for every customer managed by the Steam infrastructure and which is used to encrypt these sensitive details. In other words, personal information is encrypted long before it gets anywhere near the caches. That way, if there is a caching problem, the problem is minimal.
I don't like the idea of relying on SSL to protect this information.
Shrugs. I don't know (none of us do at this point) but I'll be very interested to hear what the cause of all this is.
The best book on programming for the layman is "Alice in Wonderland"; but that's because it's the best book on anything for the layman.