This is something in between bug report and a question since it's not clear if this is by design or it's really a bug.
So we have one major (external) key which is used to encrypt per database encryption keys, so the encryption keys are created when database is created, but it seems they are not destroyed when the database is dropped (at least from what I can see based on the file sizes since we don't have a tool to decrypt files).
It seems you can purge those old keys by rotating the replica set instance. This way you can both rotate all the keys (external+per database) for one instance and also not have those old per database keys - but it is not clear if this is by design or not since if you have one instance and never rotate it the key database will just grow over time.
I have created and destroyed 500000 databases and the keyfile has grown to 30M:
This may or may not be the problem, but it needs to be clear how it's supposed to work.