> The url effectively contains the decryption key, so the web server could be set to capture the urls and decrypt files.

If that's the case, I think setting a passphrase should be mandatory. Proxy servers are extremely common at every workplace. Since they probably log all requests, they will capture all keys in the URL.