I attended the tech details IO session (https://developers.google.com/events/io/sessions/gooio2012/313/ - as of this writing, the video isn't up yet), and they said the encryption keys don't leave the server where the data resides.
Having blowfish support available is useless unless it is the default since most people won't change it.
If this is a good law in theory, then what is your stance on the citizens of the USA's right to bear arms?
The first link in the story is the human-readable changelog.
The instance and bandwidth expenses are garbage compared to AWS.
True, but on app engine you don't have to worry about scaling, licenses, upgrades, etc. This is worth the extra cost to some.