Regarding security XOD files can be protected with standard AES or proprietary encryption algorithms. For an example of how to implement a custom encryption handler please see https://groups.google.com/d/topic/pdfnet-webviewer/KGDN8WqP1Ko/discussion. Besides support for proprietary encryption the next update to PDFNet/Cloud API will include built-in AES support (http://en.wikipedia.org/wiki/Advanced_Encryption_Standard) so there would be 'no programming required for ‘out of box’ security features. The WebViewer also includes source code for the ReaderControl which can be used to customize every aspect of the user experience (i.e. you can remove some options add extra features etc.) – i.e. all of customization and flexibility that is important for any DRM system.
----
Re: annotations, they can be stored either locally (e.g. in HTML5 local storage) or remotely (i.e. as part of your cloud database).
Annotation can be serialized/saved as XFDF string (http://partners.adobe.com/public/developer/en/xml/XFDF_Spec_3.0.pdf.). Also every time the document is loaded, the WebViewer can also fetch annotations and display them in document view. As a starting point, attached is short intro to annotation and collaboration facilities in the WebViewer.