> my whole point was that letting exceptions bubble is not a universally acceptable policy.

It should be. It should bubble to whatever boundary you have (web API, event loop, etc). At that boundary, if it's not supposed to leak information then don't. Do whatever sanitation you need at one point only. Good use of exceptions should have as few "catch" blocks as possible.