I just noticed that when pdfbox was upgraded due to a security advisory, its optional dependency enabling access to encrypted documents was also removed from DSpace:
The rationale given in the commit message is "Remove BouncyCastle optional dependency (DSpace doesn't support encrypted PDFs)" with no associated Jira issue.
I think this may be misguided, but I'm not 100% sure and it requires a bit of verification.
If I remember correctly, you can have an encrypted PDF that is nonetheless completely readable without a password, so it could be indexed or a thumbnail generated. It's just printing / text selection / editing that may be disallowed. A quick search confirms my hunch:
So I'm leaving this issue as a reminder to verify this before release.
PS: Actually I have found more info, it just wasn't mentioned in the commit: