I think everything should be encrypted and users should set public/private parameters, authorize/revoke UIs to decrypt for every transaction/operation from their account.

However, since reward pool is a public resource any action affecting distribution of the rewards would have to remain public.