PDF User Password always give access to the Owner Password, even when encrypted with AES-128
I’ve been messing around with qpdf, and noticed something that seems huge: that a document’s Owner Password is essentially useless, as it can be easily unset, and therefore that only the User Password offers any real security for a PDF.