Standard Notes [0] are allegedly encrypted at rest.

[0] https://standardnotes.org/

In Standard Notes' case they are AES encrypted before leaving the device using a note specific key encrypted using your master password (or at least that's how the underlying system Standard File used to work). Encrypted at rest could just mean the volume is encrypted but they can still read your notes (since they have the key).

They say it's XChaCha20-Poly1305 [0], and "no one but you" can read your private notes [1] (I don't know what that means).

They also list some security audits, though not without problems.

[0] https://standardnotes.org/help/3/how-does-standard-notes-sec...

[1] https://standardnotes.org/help/1/who-can-read-my-private-not...

Unless they're self hosting, this might even be a super easy thing to add. With AWS and many other cloud providers this is either the default or a simple checkbox.

On the off chance that someone physically steals the server?

Or steals bits at rest remotely for later analysis