Severity and explanation of enable-performance-insights-encryption

[zifot]

In AWS, services that support encryption often times offer using encryption key managed by the customer, or a more basic and default setup of using key managed by AWS.

For many of them, if we are to chose simpler setup of AWS owned key, tfsec issues a LOW priority warning and in its docs it mentions that using your own key gives you more control. Examples of such warnings are:

• aws-cloudwatch-log-group-customer-key,
• aws-ssm-secret-use-customer-key,
• aws-ecr-repository-customer-key.

But enable-performance-insights-encryption is different. Not using your own key when activating performance insights for RDS results in warning with HIGH priority, docs stating that "Data can be read from the RDS Performance Insights if it is compromised".

AWS docs seem to confirm that not using your own key does not mean encryption is turned off: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_PerfInsights.access-control.html#USER_PerfInsights.access-control.cmk-policy.

So I'm wondering where does this discrepancy come from? It this just by mistake or maybe this error actually really indicates some more problematic setup than in other similar cases?