I feel that apps should do the following (if we can force it then great). Create an encrypted file system that decrypts only on login. All data can be stored there for offline work. This is not likely all your data as that may not fit on a single machine, but certainly it shoudl be encrypted.
There were some such FUSE based filesystems called enc-fs IIRC, but that is the minimum we should accept. Problem is then there is some local data on your machine and that’s not always great, so that option needs probably to be off by default and opt-in.
Storing encrypted chunks (blob) data should be almost impossible to decrypt (if they were created via our self-encrypt lib). I see this as a fantastic opportunity. The network on restart pays folk to re-publish any missing network data. (Network data is data that has been signed by a network section in the past and that is provable).