Encryption and authentication are not the same. TLS by default only authenticates the server (using a [server-]certificate) - the client is unauthenticated on protocol level. The common solution to authenticate a user (= client) is to use a password.
If password authentication is not considered secure enough, you could configure apache to also authenticate the client on TLS protocol level. This means configuring apache to require some specific client certicate (a self signed one would suffice) which is then added to the browser. This way both server & client are authenticated via TLS using certificates. A password is then no longer neccessary, as only users with access to the client certificate can log in to the webinterface.
It may be easier to use SSH instead, because SSH doesn’t require certificates or complicated config files (SSH can be configured to authenticate using public keys on both sides).
Not exactly sure what “reasonably secure by default” means in this context. Anyone with access to the webinterface can add/remove new devices or folders and sync any data. Thus access to the webinterface must be restricted: That means
If the webinterface listens only locally, only local users can access it (Users connecting using SSH tunnels and related things can be considered “local”).
If the webinterface is reachable from the outside (internet), the connection should additionally be encrypted (https or some sort of secure tunnel/VPN).
Users should be authenticated, for example using a password or external methods on a lower protocol level (TLS certificates, SSH public keys or other network authentication methods)