At PowerSync we use a wa-sqlite build with SQLite3MultipleCiphers for encryption at rest.

You do still need a secure key to use with this. The simplest is to persist the key server-side (and specifically not on the client), and provide it to the JS after signing in. If you need to support a completely offline PWA you need something else, e.g. prompting the user for a passcode each load.