Treating ‘metadata’ as a second-class citizen in security is dangerous. With a goal of leaking as little information as possible, things like file names, hashes of plaintext, exact file sizes, and permissions are operated upon with the same level of scrutiny as plaintext.
In order to achieve the greatest possible security, the only place plaintext should exist is where it is used.
Begin with the assumption that every system has already been hacked. Only store hashes or encrypted values.
It’s unambiguous what the client is sending to the server. As a customer, you know what data is leaving your environment and how.
When building a cloud security system such as Oblivious, it's helpful to think that you're keeping data safe from a hostile government. This makes for a useful proxy for any attacker that's well funded, employs many smart people, and isn't afraid of breaking the law.