If you assume everything is compromised, there is no safety. You have to trust something at some point.

Usually, speaking from a professional IT perspective, people trust encryption. Once you do that, it does not matter how safe or unsafe the place where you store your data is.

AES, the encryption standard used by pretty much everything, is safe. It has not been weakened in any meaningful way since its inception and is also quantum - safe.

You could use for example openssl or Veracrypt or even just 7zip to encrypt it. If you don’t trust these tools, encrypt it twice with two different ones, just put a txt file next to it with the exact steps to decrypt, because you will forget in which order you have done things.

Personally I have a homeserver that is encrypted at rest and then it uses restic to store encrypted backups in the cloud.

Thank you everyone so much for your responses. You’ve truly opened my eyes to so many aspects I hadn’t even considered before.

Your insights were not only thoughtful but also incredibly helpful. It’s rare to come across such comprehensive answers that cover so many angles, and I really appreciate the time and effort you took to share them.

Each of you has given me a lot to think about, and

I’m grateful for the depth of understanding you provided. Thanks again!

As a first step, I’d like to pick one of the programs to start with:

Cryptomator

gocryptfs (not so Windows-friendly)

GnuPG

VeraCrypt (slower than TrueCrypt, and since it’s offered as a replacement, it makes me suspicious, especially since TrueCrypt mysteriously vanished without providing any explanation. Some people believe VeraCrypt might have backdoors, whereas TrueCrypt’s abandonment perhaps didn’t provide any backdoors.)

TrueCrypt (I have used it occasionally on my Windows PC, although it is no longer updated)