Here is a quirk I’ve noticed with the default timing of scans on untrusted devices: the default is understandably long, 86400s with the watcher disabled.
If a file of 2GB is sync’ed from a trusted to untrusted device and replaces an earlier version of the file, two empty directories remain in the encrypted folder from the previous version (parent and child). The untrusted device GUI shows only one file and no folders and there is no prompt to remove the errant folders.
Rescanning the directory once causes the child to disappear, rescanning again causes the parent to go as well.
Activate the watcher and no remnant directories from the previous sync are left after a new file is sync’ed.
I only noticed this because I use rclone to send my untrusted device directoies to a cloud repository and the empty directories were there of course.
Even though the untrusted device is an RPi4, I assuming the cost in resources of leaving the watcher on (or a short rescan period) is relatively small.