Am I right thinking that if a file content indexer like Baloo is allowed to index a mounted vault, then someone could bypass encryption by looking at the index? It wouldn’t be blocks of clear text, but at least fragments.
If that is true, I suppose the user would have to tell Baloo not to index that folder. Couldn’t Baloo or the Vault do that by default? And all this probably applies to other indexers like Recoll as well.
For what it’s worth, there’s a bug report filed in the KDE Bugtracking System about this topic with links to some work that’s been done and descriptions of what more could remain as an issue: https://bugs.kde.org/show_bug.cgi?id=390830
In the meanwhile, like others on that thread, I discovered several ways encrypted files can leak (eg through Recent files, Wastebasket, Libreoffice backups etc) the user will have to be vigilant all the time.
I think something like this will have to be secure-by-design or probably it’s worse than no encryption where at least there is no false sense of security.