Practice this topic in a realistic system design interview
Most data is protected by the application. The app checks who you are, what you are allowed to do, and then decides whether to return the data.
But stored data can escape the application path. A laptop can be stolen. A backup can land in the wrong bucket. An old disk can be retired without being wiped. In those cases, the normal access checks may never run. Whoever gets the raw storage can try to read the bytes directly.
Encryption at rest protects against that situation. It keeps stored data unreadable unless the reader also has the right key.
It is important to be clear about the boundary. Encryption at rest does not replace authorization. If the application can decrypt data and return it to a user, an attacker who reaches that same application path may be able to read it too.
This chapter explains where encryption at rest helps, where it does not help, and how experienced teams usually design it.