Suppose that a user runs a query against the encrypted field ssn. The user then wants to retrieve data about that query as it executes by running the following $currentOp pipeline:

db.aggregate([{$currentOp: {}}, {$match: {"filter.ssn": "123-45-6789"}}]);

Mongocryptd will be unable to detect that the query value should be encrypted before being sent to the server because it won't have the relevant schema information. Therefore, we will have to make mongocryptd return an error whenever it encounters a $currentOp metadata source.

To be safe, we may wish to error on all metadata sources, not just $currentOp. Another that comes to mind as dangerous is $planCacheStats.