This could be a minefield. Files and folders will inherit their parents’ EFS encryption flag (if the parent is set to do so), which is enough to ensure EFS files are handled correctly (they are here). Otherwise you could end up syncing files with a user account that hasn’t used EFS yet, which could mean data loss if the user hasn’t backed up their cert, could cause files to be encrypted by the wrong cert if Syncthing is running as a service or other user account. Worst of all, if a receiver receives files to a Windows edition / file system that doesn’t support EFS, it’s plausible that EFS flag being “not encrypted” could trickle up to the sender which would cause unwanted decryption.