Someone in an Amazon datacenter that gets ahold of a random backup tape/hard drive can't read it. I'm not sure if Dropbox is hosted on EC2, but if not, it means that Amazon couldn't read the data at all. (If it's hosted on EC2, Amazon could probably get ahold of the key if they really wanted to)

Going off of that assumption, what if the decryption keys were also stored in an Amazon data center? It is then possible for Amazon read the contents of these files.

I'd like to hear from Dropbox how this works instead of speculation.

If their storage API is compromised your data isn't... you need to compromise their decryption API and the storage API.

With luck the same sets of staff will not have access to both, et cetera.