It is yet to be decided. Personally I’m inclined to using symmetrically encrypted files (with the key stored in a secret table, like a regular password). In this scenario we would then store the files in DB with an additional cache on file, pretty much like we did for avatar.
This way the files are only accessed from DB when cache is warming up. This facilitate making backups (only one source of data), which we know from experience a lot of people struggle with. Also we don’t have to implement and test multiple file storage configuration and options (as people will want to use S3 buckets, NTFS, etc. for high availability setup).
The disadvantage obviously is more strain on the database.
I think this is workable if the files are small. But it’s up for debate with the team, we will most likely experiment before making a decision.