Yeah exactly this. Especially if you need to programmatically process that data too. You can even let the customers provide their own managed key too (such as AWS externally managed KMS) in combination with something like AWS nitro enclaves.
I’ve enjoyed building on nitro myself and most things should run in it just fine, just need to build the networking vsock proxy into the nitro image for anything that needs networking (such as DB, where you store the encrypted at rest data).