What are the current best practices for sharing a USB printer over the LAN? Is it still CUPS, or has the situation improved?

If CUPS, can the connection be secured using TLS or other forms of certificates?

#1 "best practices" is the buzz that vendors use to convince you to buy the product on which they get the most commission over time. It is also used by proprietary product providers to get you to avoid using better products. It has as much value as "industry standard", which means whatever the speaker wants it to mean.

#2 Have you looked at CUPS recently? Have a look at pages such as https://www.cups.org/doc/encryption.html easily discovered by a simple search.

#3 All of my printing is over a secured internal network. I use encryption on production and work networks, but not on an internal isolated secure subnet. You must evaluate your risk environment to determine if encryption for this specific traffic is appropriate.

I figure on LQ it would still actually mean something, though the phrase does seem to have become co-opted elsewhere. I notice a lot of phrases which were ok a while back have changed meaning to nearly their opposites lately.

Thanks. No, I have not looked at it lately, which is one of the reasons for asking. In particular, anything FOSS but not CUPS would be interesting. I see that most of the pages on the CUPS site are at least two or more years since their last update, and some contain incorrect information.

Other than that, the link you provide is useful, yet it does not surface easily in any of the hour or so of searching I did so far. However, that page does seem to suggest that only the server has its own certificates. What about also having client certificates so that the server knows which connections to allow, sort of like how MQTT does it?

Maybe half of these print jobs would be over Wi-Fi (WPA2) which in no way can be considered secure. Furthermore, there is massive RF interference intermittently. So I see encryption as essential, not just for the privacy and authenticity aspects.

Back to the certificate problem, it looks like tunneling port 631 TCP over SSH would be the way to go. Then that account would have a locked key and be a member of the group with CUPS access. That would take care of verifying the client as well as the encryption. It just seems like an inefficient and maybe inappropriate move to tunnel TCP over TCP.

Under those conditions the wonder will be if you can print reliably at all using ANY tools! Finding the source of the "noise" and shielding things to prevent that RF problem would be wonderful! ANY encryption tunnel is IP of IP, you have just added overhead by encrypting the traffic for security. It will be slower and the packets will either be larger or increased in number. I consider that a worthwhile tradeoff.

SSH uses an SSL encryption tunnel, and will do all of the handshake for you. Where that is an option on both ends it should work. While you could do the encryption entirely under CUPS directly, ssh should serve well enough.

The only alternative to CUPS I have used is LPRNG, which is getting rather long in the tooth these days. Either beats the old LPR/LP/LPD systems. Recent versions of LPRNG can coexist with CUPS, but I have no idea what the advantage in that might be.

When Michael Sweet left Apple in 2019 cups was forked and now there are two versions. Depending on distribution/version linux should use the OpenPrinting version https://openprinting.github.io/cups/ and not Apple cups.

cups does have user authentication which may or may not be satisfactory for your use.

If the printer must be connected to a computer and cannot be connected directly to your LAN, this tutorial from ZDnet should help.