Deleting “security.plist” isn’t relevant anymore, because that file only exists in Day One Classic. In Day One 2, the Day One passcode is stored in the system keychain, so to delete it you must also have the user’s system login password. You’re right that the security.plist system was hardly secure, and it’s something we intentionally improved in 2.0.
With end-to-end encryption in 2.1, we’re protecting your data from server-side access to your private journaling data. Local disk encryption is another topic we may address in the future, and I defer to Alan’s earlier response on that topic. (Maybe at WWDC, Apple will announce a stronger sandboxing model for OS X, and the whole issue will largely be resolved!)