I've been thinking about this recently, and I'm also interested in ideas.
It depends on how secure your notes need to be. Are we talking personal, sensitive information, or are we talking shopping lists?
Firstly, I would consider doing encryption on the client-side. This means that the data is encrypted before it ever leaves the user device, essentially becoming E2E encryption. Libsodium might be good for this as it supports 'sealed boxes' (
https://libsodium.gitbook.io/doc/public-key_cryptography/sealed_boxes) and has bindings for different languages.
The downside is that if a user loses their password, there would be no way to recover their notes.
There is a pgsodium library you could enable in the DB:
https://github.com/michelp/pgsodium . It's installed in projects already. This would move the encryption to the DB instead. You'd lose the benefit of E2E encryption with this approach, but the password hash for the user account could be used as the key. The downside of this is that you haven't really protected the data, you've just moved the key elsewhere in the DB.
I think the best solution would be to have the users provide their own password, and if they lose it, there's no nice way to recover it.