Just make the file root owned and readable by no one. An unreadable file can’t be copied. You can use chattr to add some flags like immutability if you desire (shouldn’t really need to). Use a command like find /some/path -type f -exec chattr whatever {} \; if you need to do this recursively. Root account should need a password, and should (hopefully) not be accessable with an unprivileged user’s password through sudo/doas, but on its own account with it’s own password using su or login.

Note that without encrypting the file, this does not protect you from someone just grabbing your storage device and mounting it with root permissions and then they can do whatever they want with your data. It also doesn’t protect you if someone gets root access to your device through other remote means. If you want to encrypt the file, use something like openssl some-cipher -k 'your password' -in file -out file.cipher_ext. If you want to encrypt multiple files, put them in a tarball and encrypt the tarball. You can again also use find with openssl to encrypt/decrypt recursively if you don’t want to use a tarball, which may be better with ciphers like blowfish that aren’t secure at large file sizes; but if you do that, you expose your encrypted file system structure to attackers.

I am not a fan of full disk encryption, because it usually means leaving all your data decrypted during runtime with how most people use it. If you only decrypt a block device when you need to, there’s nothing wrong with that, and can work as an alternative to encrypting a tarball.