Use ffi.from_buffer(...) for conversions, so that bytearray, memoryview and other things work too, instead of checking that the arguments are bytes instances.

I would also prefer being able to give output buffers to low level functions, for instance I had to do this hack to enable encryption without creating a new buffer. It works even in place, if ciphertext and message are the same buffer:

from nacl._sodium import ffi, lib

def encrypt_into(ciphertext, message, aad, nonce, key):
  mlen = len(message)
  clen = ffi.new("unsigned long long *")
  ciphertext = ffi.from_buffer(ciphertext)
  message = ffi.from_buffer(message)
  if aad:
    _aad = ffi.from_buffer(aad)
    aalen = len(aad)
  else:
    _aad = ffi.NULL
    aalen = 0

  return lib.crypto_aead_chacha20poly1305_ietf_encrypt(
    ciphertext, clen, message, mlen, _aad, aalen, ffi.NULL, nonce, key
  )

While for most things it does not matter if copies are made and new buffers are being allocated, stream ciphers can be much faster with proper buffer management.

Yes, this library predates from_buffer in cffi, but it should use it. pyca/cryptography switched long ago but no one has done the work on pynacl yet.

I couldn't find any way to use pynacl to encrypt large files as all the public API takes is bytes. It's a pretty big limitation.