In log messages about a hidden service we operate, we don't replace the hidden service name with [scrubbed]. Historically, this was considered fine, because you have your hostname and private_key files on disk already. But if the user puts his $datadir on encrypted storage, and the logs aren't on encrypted storage, then the logs could be the weak link.