Currently MWG doesn't distinguish completely encrypted documents, and protected (from printing or commenting) documents. But I think, that for incomming traffic this doesn't matter, and anti-malware engine should be able to find malware in such documents.
So I think, that you can implement following workaround, you need to create list with mime types that will skipped, put application/pdf there, and modify rule so it will look like:
IF Body.IsEncrypted equals true
AND Body.MimeTypesEnsured "not in list" <list of mime type to be skipped>
this rule will block all encrypted documents and archives, except listed in your list