Based on the documentation, to save a backup to some cloud provider, we should execute the following command:
xtrabackup --backup --stream=xbstream --target-dir=/tmp | xbcloud \ put [options] <name>
Let's combine this with a custom transition key:
xtrabackup --backup --stream=xbstream --transition-key=foobar > xbstream.output
After taking this backup, look for the transition key in it:
cat xbstream.output | grep -a foobar
And it's there in clear text, written as part of the tool_command in xtrabackup_info. Conveniently at the end of the file, so executing tail instead of grep is also enough.
Meaning that anybody who uses this approach to save an encrypted database on the cloud basically exposes his entire data (and tablespace keys, which will stay the same until he rebuilds all encrypted tables)