the audit is a bit poor IMO:
With the current design, users MUST ensure that
no attacker can modify the ciphertext and read from some part of the mounted
filesystem, otherwise there will be a catastrophic security failure. Users must also be
aware that gocryptfs provides imperfect integrity protections against less-powerful
kinds of adversaries, and that those imperfections might lead to confidentiality leaks
when certain applications are run on top of a gocryptfs filesystem.
That is part of the design that you mount your encrypted directory somewhere in plaintext. that does not make any sense for me; you cannot argue that your encrypted harddisk ist mounted in plaintext and programs can read the data.
But that is offtopic here.The gocryptfs guys have some place to discuss this.