You have 2 encryption options - at the file level and at the block level.
The first option is the easiest to implement - in the properties of the file / directory you specify the encryption flag (only for NTFS) and that's it, only your windows account will have access to it (carefully, when resetting the password or reinstalling the system, without backing up encryption keys, access to the data will be lost).
This method figuratively protects your data from any windows user, but administrators can install an application that can copy or change data at a time when it is available (an administrator can be created with access to hardware by booting from a special flash drive).
The second option (bitlocker, truecrypt) protects the entire disk from third-party users (who have physical access to your disk), the password (or encryption key on usb or otherwise) will be requested at system startup (more precisely, mounting the disk, but not encrypting the system disk in does not make sense in this case), the data itself will be available to all windows users on a general basis, as if there is no encryption (but regular access rights are possible).
Be careful, the second option disables the use of TRIM for SSD drives, this is a very important technology that allows you to speed up the work with the drive and even extend its life.
ps full protection of data from those who have physical access to the disk - this is a very difficult issue, in the end the task will come down to encryption technologies for the bootloader and confirming its integrity (for example, by loading your encryption keys into the BIOS of the motherboard, such technologies are not available on cheap motherboards ) because if, for example, you encrypt a disk in a data center, the administrators of this data center can, on the next reboot, slip not real hardware, but their own special or, for example, virtual machine host, and this hardware will wait for the encryption key to be entered and allow it or RAM data to be stolen which means data access. One of the ways to deal with this is administrative, turning on / rebooting the machine should be carried out with physical access to it, with checking the seals (the case is not opened,

Not one techie in the world will ever be able to crack even the encryption of a bitlocker, yes, maybe he has loopholes, but they are available to very few people, most likely the US intelligence services have access, and even then they don’t use it, they do otherwise there, within the framework of the law, they immediately give the maximum term 20 years if a person cooperates and gives out a password voluntarily, the term can really be knocked off up to three years, and those who refuse are actually sitting for 20 years, so most give out a password themselves, and without torture
. not even though many tried