Thank you, @ChristophWurst. Maybe it could be enriched by adding additional layers, from which the user could choose?
… which could be valid from 1st access to an encrypted eMail to the end-of-session, or so?
E.g. the user could decide if private-key passphrase shall be typed before 1st access - or to encrypt private-key involving something simple from YubiKey (HMAC?) or similar?
Since I’m new here … Is this the point that I might place an “featue request” to the related GitHub-Repo to share this idea?
I do not use S/MIME. However, I could imagine that the Nextcloud instance must be able to access the unencrypted data independently of the user, similar to server-side encryption. Perhaps @ChristophWurst can confirm or refute this.
Personally, i find that private S/MIME keys on servers contradict the principle of S/MIME. But apparently, unlike TLS, S/MIME is not end-to-end encryption.