The first thing that came to mind were the
GRASP principles.
Seems like you have a pretty good handle on the considerations, which I must say I find quite rare. Perhaps 1 in 10 understand the implications of their design choices.
I find these particularly astute: "... because conditions are not related to the state of an object O" and "Because we think then it could be encapsulated but otherwise not"
I would say go by the
Principle of Least Astonishment when deciding which way to go. Have one or more colleagues who are not familiar with the design try to look for the logic of where the decision is made. See how they go through the code to find it. Where do they look first? Why did they look there? If their reasoning is logical, that might be the most natural place to put that logic. If their reasoning is not sound, then maybe they need to be educated a little bit.
One thing I'll say: I wouldn't put it in the controller. For me, a controller should just delegate to the component that knows the business rules for routing the request further. So given that you said the conditions are not dependent on the state of the O object, I would find the object or class where it makes most sense to put the "knowledge" of deciding whether to do client- or server-side encryption. That said, I would lean towards the second approach you described.
Caveat: I haven't seen your code so there's really no telling which way is better. For me, reading code that makes sense and that I can intuitively understand is what helps me decide whether I've made a good design choice or not.
Hope this helps.