Hi Nym,
It is veering off topic but to answer your post...
Encrypting the whole wallet would certainly work - you could use the org.multibit.crypto.EncrypterDecrypterAESScrypt to do it.
The disadvantage is that you would not be able to do the 'routine' things like adding new transactions as they come from the network without the passphrase ( as everything is encrypted). I've gone with the approach if just encrypting the private keys - same as bitcoind - so that you just need the passphrase for sends and key management.
You could combine the two approaches - for instance the blockchain.info double encrypted backups have the private keys encrypted with AES and then the whole JSON structure is encrypted with another password to make it opaque.
Thanks for your reply Jim - My thoughts exactly. Regarding Android clients (on topic), I was curious if an alternative approach to your (pending, proper) solution would be useful for Android wallet developers.
I may be implementing my simpler approach for the SatoshiRoller app (using cipher streams).