Hello,
I use qpdf to encrypt pdfs for the cloud. I recently found out I had been making a serious mistake. 
Since I wasn't interested in restricting permissions, I left the owner password blank. The qpdf dev says that a PDF file with a blank owner password "can be trivially decrypted."
So for any other naive pdf encrypters: be sure to set both passwords, equally strong.
I gather from my reading that for best security, 40-bit key and RC4 should be avoided as well. Examples
Cheers!
Footnotes
The qpdf manual wrote:Either or both of the user password and the owner password may be empty strings....PDF files with a non-empty user password, an empty owner password, and a 256-bit key...can be opened with no password.
That is not the case with 128- and 40-bit keys, but as I learned, the file is not secure. Explanation:
qpdf dev wrote:When you encrypt a PDF file the encryption key is generated at random. Then the encryption key is again encrypted using a second key that is derived from the user password and a third key that is derived from the owner password. Either the user password or the owner password can be used to retrieve the actual encryption key, which can in turn be used to decrypt the file...[w]hen you encrypt a PDF file with an empty string as [either] password...[t]he file is still encrypted, but the encryption key is there for the taking.
https://github.com/qpdf/qpdf/issues/351 Many thanks to qpdf developer Jay Berkenbilt, who patiently explains these things.