Section 230 doesn't apply to CSAM, since SESTA/FOSTA

If your software encrypts user data with a user owned key that you never touch, i.e. everything is encrypted at rest, can you still be liable if it's later proven to be CSAM?

If you have knowledge of CSAM or reasonably expect CSAM exists in the traffic you're forwarding, you have liability.

Not much. While this may keep you out of jail, it will not prevent you from being raided at four in the morning and having your pets shot and all your computers seized for months.

Won't prevent your pipes and hosts from extorting or struggling you either.