GNU/Linux distributions include many tools to encrypt whole directories.
With Paperwork, there are 2 directories that should be encrypted to protect your privacy:
Your work directory (by default ~/papers, can be changed in the settings)
The cache directory (~/.local/share/paperwork, cannot be changed) (it contains index files from which the content of your documents could be partially recovered)
On GNU/Linux Debian and Ubuntu, you can easily create a directory Private in your home directory. This directory will be encrypted using the password you use to connect when you start your computer. Just type ecryptfs-setup-private in a terminal to create it. You can then put the work directory of Paperwork in it.
Once the directory has been created, you can also store Paperwork cache in it:
If you installed many versions of these packages, you may have to run these commands many times.
Note that there are other dependencies installed with Paperwork. However, python-pip can't detect and remove automatically unused dependencies. This is why you should use your distribution package(s) if possible.
Paperwork is designed to be as simple to install and use as possible. Web servers and web applications are not simple to install (yeah, I know, the dependency nightmare of Paperwork doesn't make it easy either, but package managers are supposed to take care of that).
I (jflesch) have no use for a web frontend (I sync my files with SparkleShare, and I can access them everywhere I need them). I don't develop features I don't use. Doing otherwise would be the best way to get regressions all the time.
With a web application, scanning is not an easy problem. You could use any scanner connected on the server side .. but it wouldn't make sense. You need to scan on the client side, and AFAIK, it would require a browser plugin.
Feel free to make one if you want. We will gladly help you with any questions about Paperwork backend you might have.