Until we have full support for $lookup over QE collections, we should disallow users from performing $lookups that include sub-pipeline match expressions containing values for QE-encrypted fields.  We currently don't implement the server-side rewrites to support this, so running such aggregations on encrypted collections will return incorrect results.