That makes sense. As of now I have not considered the VPS approach you mentioned but only thought of self hosting but I can see how in VPS world it is not safe. Encryption at rest can be obtained by various means

• Have the disk encrypted like you said.
• Have the db encrypt by a admin provided secret but in this case all users of instance share that secret and admin can technically decrypt other user data.
• Have the app do encryption based on user provided password. This gives per user secret and encryption. So encryption at rest will be something among this preferably (3) one.