Not sure what your environment is. I can tell you what I do in linux/android.

I use backblaze b2 for my cloud storage.

I use rclone to create two encrypted “remotes”: one on my local file system and one for b2. Rclone supports a bunch of cloud providers, so you don’t have to use b2.

I mount the encrypted local file system and use whatever app (e.g., paperless) to access the files like it was any other directory.

When I’m done I unmount it and sync it with the b2 encrypted remote.

I use Round Sync on android which is rclone with a mobile GUI to access the same files. Also works great for backing up my phone.

For docker access to the mount point, either run the docker daemon as your current user, enable root access to rclone’s fuse mounts, or my preferred is to remount (with root access) a scoped directory for that docker container using something like bindfs.

Just be aware if using the vfs-cache (needed for seek or append), that cache is stored decrypted in your home folder. I’ve been meaning to look into locking it down with apparmor or something.