This has been exceptionally done to death on Reddit but I’ll say it here since Reddit is dead.

Authentication -

If what you’re looking for is a login front end you could check out paper merge - personally I’ve got Keycloak and Nginx running so I can just make my own login page anyway and put paperless behind it.

Stuff with sensitive documents should probably not be on the internet anyway unless you’re a really advanced user.

Encryption -

In app encryption offers no security because the encryption key is stored in RAM and likely a database entry that must be unencrypted.

So the Devs are 100% correct in stating that it gives people a false sense of security to offer it as a feature.

Best bet is to have an encrypted filesystem or alternative encrypted storage buuuut, also understand that encryption key is also stored in RAM.

TLDR: There is no point in Devs offering in app encryption when you should already be encrypting the filesystem.

When you say “no built-in security”, are you talking about not having https ? Paperless-ngx does have login security with users and passwords. I believe they recommend using nginx as a reverse-proxy server to implement https if you need it.

When I was looking for a DMS I ran across MayanEDMS. I never got a chance to stand up any DMS but it may be worth checking out their site in case it meets your needs.

Not exactly DMS but I have a WikiJS instance running with MFA enabled and access control. For example, my wife and I can access a set of documents we deem sensitive but other users can’t. I use WikiJS for all my documentation needs.