Note, that is the keypool of unused keys for future use; any address shown to you in the interface or that has received coins as change is kept when the new encrypted wallet is created, and those private keys may still be floating around on disk sectors and deleted files.
The OP's question had to do with new wallets (with no coins yet).
But for a used wallet then you are correct. When you encrypt a wallet, all the unused keys become marked as used so those aren't a concern. For addresses that are used, however (e.g., received and not spent, or used for receiving change) then the release notes for bitcoin-qt v0.5.0 specify the solution to that:
Send all of your bitcoins to yourself using a new bitcoin address. Don't re-use any addresses generated before wallet encryption was enabled.