Encrypt them before they’re ever put there. One example I can think of is in resilio sync, which has the option for sharing a folder to an encrypted peer. Other peers encrypt it before sending anything, that peer doesn’t have the decryption keys at all.
Harder on the corporate side, but this has been an issue in the warehouses.