The current serialize(km) builds the full keyring as a String in memory before encrypting. A serialize_to(km, writer: impl Write) approach writes incrementally, which matters once keyrings grow large and is the correct API shape for pipe-based export. The encrypted .rpg write path would become: open file → stream serializer → AES-GCM encrypt-on-the-fly → write, with no full-plaintext copy in memory.
The current `serialize(km)` builds the full keyring as a `String` in memory before encrypting. A `serialize_to(km, writer: impl Write)` approach writes incrementally, which matters once keyrings grow large and is the correct API shape for pipe-based export. The encrypted `.rpg` write path would become: open file → stream serializer → AES-GCM encrypt-on-the-fly → write, with no full-plaintext copy in memory.