I think it's also important to recognize how much of a "check the box" security control encryption at rest has become for many vendors/GRC teams. A lot of times, the encryption at rest control only has the capability to prevent somebody from physically detaching the disk and trying to mount it with their own machine and access the data that way. In a world where many companies now run their workloads on public cloud providers who keep their hardware in distributed cages in secure datacenters, this isn't the security control many assume it is.
If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization
Finally, someone points out the emperor has no clothes. When customers first started requesting encryption at rest, it didn’t make any sense to me — the threats it mitigates aren’t worth worrying about if you’re using public cloud.
If you're trying to prevent an actor who has gained a foothold on a box/network from seeing plaintext data that is actually in use by the actual production system at that very moment, you're looking for a much stronger type of control - probably some sort of client-side encryption or obfuscation/tokenization