I need to traverse an untrusted ethernet (short wireless link.)
By "wireless" do you mean WiFi, or something else?
If WiFi, and you're worried about snooping by the other clients on the same net, your APs may have the ability to set up a secondary SSID, which gets you a separately-encrypted network, assuming you pair it with WPA2-PSK or similar. Now your L2 is encrypted. Yay!
I want both sides of the link on the same sub-net.
Why? Routing between subnets is what routers do. Separate subnets on each side of an inter-building link is the normal way things are done, so it's the way routers work best.
If you have a specific thing that will fail unless you put everything on the same subnet with transparent L2 forwarding, name it. I'll bet you get answers showing how that problem is easily overcome.
I know I can use EoIP or L2TP
Neither tunnelling method supports encryption in itself. If you want encrypted EoIP, you run it over encrypted L2, which brings us right back to your question. For L2TP, that's normally paired with IPsec to get encryption.
wrapping and unwrapping L2 in L3 adds a lot of overhead.
Some, yes, but the encryption itself likely contributes more to any benchmark differences.
My first thought was PPPoE
I think you're confusing encrypted data transport with encrypted authentication. Once the CHAP or whatever stage is over, PPPoE is unencrypted.
[PPPoE] also seems to be substituting one set of encapsulation for another.
Yeah,
8 octets per Ethernet frame. If you want to get it to zero, run a cable.