The one thing that I never see answered in the proposals is a simple answer to, "what's stopping CSAM users from using open-source encryption?".

You can ban this at a provider scale, but you simply can't track or enforce custom implementations at a small scale.