Is there any possibility or likelyhood that products like Onenote (remarkably free) secretly embed the 'Section' password that you devise to protect it, before it goes off to OneDrive. Such password could itself be masked to avoid the originator snooping with a hex editor and spotting it? The alternative is that I am paranoid and don't trust anything of such quality that is free (like lunch).
To add to the original post, I have just found this... http://technet.microsoft.com/en-us/library/jj923033.aspx Previously encrypted files The Office DocRecrypt tool can’t be used to recover files that were password-protected before you deployed the certificate and escrow key. However, after you’ve deployed the certificate and escrow key, if a user opens a previously protected file in Office 2013 and then saves it, the escrow key is added to the file at that time. From that point on, you’ll be able to remove or reset the file’s password using the Office DocRecrypt tool. ... so does Microsoft add an escrow key when it creates the 'web' notebook??