That being said, I store all my sensitive information in a huge
  reference.org file that is added to the agenda. I sync this (among
  other org files) to MobileOrg through a HTTPS-secured WebDav server.

I do this, but I use my own server, not dropbox.

It would be nice if there were some interoperable crypto between
MobileOrg and org, so that the server files were encrypted.