[AlexITC]

Be aware that there are some encryption algorithms where decryption with the wrong key won't fail but lead to a wrong result (rot13 being the simplest example, there are some modes in AES with this behavior too).

A potential improvement could be to use a different key per customer, where the key mapping (customer -> key) is encrypted with the application key, this process simplifies key-rotation and prevent that a leaked key gets access to all the secrets.

The key mapping schema could be handled with postgres security definer functions to avoid dumping the schema from code.