It'd be nice if I could enable an add-on to place all files, especially database files, on an encrypted (EncFS) volume.
This would automatically settle (parts of) HIPAA-like compliance without having to implement encryption in individual software layers. Having the entire VPS volume encrypted using EncFS is transparent to userland. The data on disk is encrypted, the data in RAM is decrypted. It should actually probably be a default setting, as unencrypted data on disk can be read by the VPS provider.
The downside is that the key must be provided on boot; the encrypted volume won't mount without it. But I presume that this can be handled by your infrastructure.