[ordinary]

This is incorrect. Both in the new scheme and the old, sensitive data is encrypted. In the old scheme, this key was randomly generated, while in the new, it is derived from a password. Either way, you do not need to trust Mozilla.

The main security concern (as far as I can tell, and I'm far from an expert) seems to be that the KDF used in the new protocol is not as strong as the one used in the current Sync protocol.

You should read the link posted in the post you replied to, especially the security analysis. It is quite readable and might allay some of your fears.