Currently, if decryption in a backend fails, it is non obvious where the problem originates.
For example, when using hiera-eyaml-gpg, with multiple keys you might get
if hiera is trying to decrypt part of the hierarchy it doesn't have the private key for. See
hiera-eyaml is a bit of an odd one in that https://github.com/voxpupuli/hiera-eyaml is the gem with most of the decryption code and support for multiple decryption plugins. But the entry point for hiera 5 lookups is lib/puppet/functions/eyaml_lookup_key.rb in core puppet and this is where changes to improve logging would have to be made.