If I now generate a new receiving address from the wallet and receive funds on that address, would the private key for that new address (and therefore funds) be available to an opportunistic computer repair guy if he were to dump all addresses and private keys from the un-encrypted wallet.dat? i.e., if he generated all addresses in the pool in the un-encrypted wallet.dat, would my new receiving address and private key eventually show up for him?
Does keypoolrefill replace all old addresses with new addresses in the pool or only just replenish back to the maximum? If replaces, then that one command would insure that I'd get an address that's not in the old wallet.dat.
For old/non-HD wallet, the keypool is refreshed to generate different set of private keys. As for HD wallet, your master private key will be changed. So the repair guy unable to know newly generated private key/address.
Should I just create a new wallet, encrypt it and use a receiving address from the new wallet to receive future funds (and transfer the $40 to an address in the new wallet)? This is a simple thing to do, I just want to understand what addresses are in a wallet using this hypothetical situation.
Yes, you should do that
immediately for these reason,
1. I would consider your Bitcoin is currently vulnerable.
2. You don't want accidentally re-use Bitcoin address which created before you encrypt the wallet file.