For a public institution you want some sort of accountability / auditing mechanism, so you can't just do E2EE encryption between users.

Otherwise, a public servant could do sketchy stuff behind the public's back with no paper trace.

What you don't want is hostile foreign capitalists leaking your data to their local authoritarians. They are not your public and shouldn't have the data in the first place.