love what you're doing here. this seems a bit too strict:
> If a feature cannot be built in this manner, all data must be end-to-end encrypted and the owner of the device must be the exclusive holder of the private key
this sort of rules out any form of collaborative activity that involves publishing or sharing data.
I suggest seeking inspiration in the distinction between SaaSS (bad) and somebody else's computing (a term I've just made up to refer to networked computing you may interact with or even participate in, but that's not yours for you to deserve control over it)
a lot publishing and communication software are excluded from SaaSS on these grounds, but the line to be drawn here WRT data should be a little different: encrypting private communications is indeed a must, but encrypting what's meant to be public, e.g. data you contribute to a FS project or to OSMap or Wikipedia? what's even end-to-end in these contexts?