I really like the look of CloudKit’s new support for encryption. You can’t use encrypted fields in queries because the server can’t read them, but otherwise I don’t see any downsides. See developer.apple.com/wwdc21/10086 and developer.apple.com/documentation/cloudkit/ckrecord/3746821-encryptedvalues