They're different things though.

> Cryptographic security isn't a property of a data format…

True, although a data format can have cryptographic issues (e.g. there should be one and only one encoding for a particular datum, and if there're multiple encodings then there are issues).

> …nor is there a clear way to layer it onto arbitrary data formats.

True enough, which is why canonical S-expressions were invented by Ron Rivest in order to enable a particular type of PKI—the format was created in order to serve a purpose; the purpose wasn't crammed atop some random format.

> Properly designed cryptography functions at a higher layer that that.

You're of course correct. Fortunately, SPKI does work at a higher level than its (elegant) data format: it's actually all about trust calculus across certificate and name tuples. It's mostly orthogonal to encryption, but encryption just kinda falls out naturally from what it does handle.

And S-expressions are still so, so much nicer than JSON.