In my mind at least this would be solved by the “vault” needing to be decrypted with a password every time notes are accessed/saved with the password acting as the key? I’m not terribly well educated on encryption though.

Oh thanks for the heads-up! Will look more into it then.

After some more research it seems that Joplin only E2E encrypts notes at transport and not at rest[1]? e.g. it only stores plain text files on the harddrive just like Obsidian does? This sadly makes it not viable for my use case :/

[1] https://discourse.joplinapp.org/t/requesting-encryption-of-local-joplin-data-at-rest-encryption/15145