Neither IPNS nor IPFS encrypts your content for you. block-level encryption is planned but right now it’s up to you to encrypt the content you put on IPFS.
IPNS does uses private key cryptography to prove who published an update, but it does not encrypt the content itself.
Search around on discourse to find discussions about this topic. Example: Ipfs dynamic content like cms - #6 by flyingzumwalt
Read up on public-key cryptography.
You could start with the wikipedia entry and then explore the idea space. That’s where you will find the answers you seek.
Write your app as an offline-first distributed app and bundle IPFS with it. You can still run a web-based version of the app, but the downloadable desktop version will be the main thing people use (Like Slack – where you mainly use the desktop client but can also interact with the same information at slack.com)