Wild guess: Amazon does nothing to solve sync conflicts, because it's highly correlated with your app business. Amazon gives you all conflicting versions and some flags telling your app "there's a conflict, you should fix it". Much like CouchDB.
So if it works like that, you absolutely can encrypt your payload client-side, and use Cognito as a mere transport.
Exactly. I don't know why people are so attracted to locked in solutions like Parse or now this when Couch has already been doing it for a long time, and there are mature third-party providers (Cloudant, Iriscouch, etc) that can help you get off the ground just as easily without ever being locked in with them.
So if it works like that, you absolutely can encrypt your payload client-side, and use Cognito as a mere transport.