native vs openvswitch may give you a performance difference depending on kernel and workload. The other advantage of openvswitch is that it doesn’t appear to have a port limit on its bridges, so while a Linux bridge will fail after you bind 1024 containers, openvswitch won’t.
For encrypted vxlan, I’m not finding any good references on how this all works on Linux.
There are references to it being based on some kind of L2 IPSEC (MACSEC) but I can’t find how you’re supposed to tell the Linux kernel about keys.
If you have any reference on setting this up with iproute2 (the “ip” command), let me know and I’ll look into adding at least a basic version of this (probably simple PSK based encryption).