I have never used resilio and do not understand the purpose of the underlying structure in terms of synchronization. And Syncthing has no explicit access control mechanisms or enforded directory structure. However as far as I understand your setup still works fine with Syncthing, except for the encrypted shared folder, that is In The Making ™:
Create separate shared folders for every directory that any device needs access (workgroupA, subfuncitonA, projectB, …). Then share those folders with the appropriate devices. The devices will manually take care of the “external” directory structure, which can be very useful, e.g. if one device only share a single folder deep down in the tree, it would be nicer to sync it to an easier accessible location. If you want to enforce a specific setup, you need to deploy the configuration. There are discussions and community contributions about doing this with e.g. ansible.