> I seem to remember that APFS's encryption had a pretty bad reputation in terms of actual security.
Based on what exactly? APFS actually has really good security. You can encrypt on a per-file or per-directory basis. Each per-file key can be encrypted with different levels (the shared key or per-user keys, so permission bypasses are useless).
As in I'm pretty sure that in a previous job, I received semi-official government-issued guidelines: « Don't use it, we know how to crack it, and we're pretty sure that we're not the only ones. If you value your data, use TrueCrypt instead. »
It was pretty thin on details, and the stuff may have been fixed in the meantime, but here you go.
Maybe there's a misunderstanding here, but how could you have gotten advice about APFS in a "previous job", when APFS was only announced a few months ago (and doesn't even have a stable release yet)?
Based on what exactly? APFS actually has really good security. You can encrypt on a per-file or per-directory basis. Each per-file key can be encrypted with different levels (the shared key or per-user keys, so permission bypasses are useless).