Similarly to #3, it would be great to support server side encryption via customer-provided keys (SSE-C). It is quite usual for S3 clients to support SSE via both KMS and customer-provided keys.

It could be configured with something like:

CREATE SECRET encrypted (
    TYPE S3,
    PROVIDER config,
    SSE_C_KEY ' base64-encoded encryption key'
);