Steve,
The question of nesting doesn't seem to have an obvious answer, so I
guess we simply get to list some issues, balance them as best we can,
throw a dart at a map, and choose a position.
The discussions I have had with some security types suggest to me
that application/pem is the most appropriate for their privacy needs, since
they have the explicit goal of hiding everything inside the encryption.
For simple message authentication, when "hiding" is not a goal,
my own view is that message/pem makes sense, since it becomes possible
for non-pem software to process the content (i.e., the contained
message) if not to authenticate it.
Mumble.
Dave