I had also tweeted a guy who works for the Visual Studio Web team and he came through with this answer:
Add the property <MSDeployEnableWebConfigEncryptRule>true</MSDeployEnableWebConfigEncryptRule>
to your .pubxml file
I figured it'd be like this, but previously could not find any references to the proper tag name, MSDeployEnableWebConfigEncryptRule, anywhere.