WeTheNorth's message system is encrypted by the storefront. But every message is decryptable by the storefront itself, which means it is decryptable by anyone who compromises the storefront database.
What layering PGP on top adds
If you encrypt your shipping address to the vendor's PGP key before pasting it into the message system, the storefront sees only ciphertext for the address field. A seized database returns nothing useful.
What to encrypt
Name. Address. Phone number. Tracking number if you exchange one. Any identifier that could link the order back to your real identity.
What you do not need to encrypt
Order coordination questions. Dispute discussion. Generic messages. The storefront-side encryption is fine for anything that does not include an identifier.
How
Import the vendor PGP key. Encrypt with gpg --encrypt --armor -r vendor-key-id. Paste the ciphertext block into the storefront message. Vendor decrypts with their private key.
Two minutes per order
Costs you two minutes. Closes a permanent risk.