I have tested out Joplin and it is a good replacement for Evernote, but I see that there are unencrypted files on desktop. I believe I read I could just put them in a veracrypt container.
What about Android? Does it have unencrypted local files, and if so where might they be, and could I put them in a veracrypt container (EDS lite allow me to create them on Android) and still be able to sync fine?
Android encrypts app data automatically. e.g. My Google Pixel encrypts the entire phone. As a next step, application data is bound to the phone and the user. You can't copy the app data and put it on another phone. That does not work.
However, from Joplin's view, the files in that encrypted app data container are unencrypted. Local data in Joplin is always unencrypted.
But is there some folder that you can see even if the app is closed like the unencrypted sqlite on desktop that shows your notes unencrypted? I want to be able to put moderately sensitive information like bank addresses (but not pins) inside it.
What about if I wanted another layer of encryption that uses a complex password rather than my biometrics? Do you know if putting the files in a vault will mess up the sync?
Yes, look at the setting on your Android client, you can see where the option for Encryption has a large blue button, You need to set it up for it to work.
As far as your question above, yes I suppose if someone gets your unlocked phone that is not using encryption (which is rare now days) then perhaps they could get to and retrieve un encrypted notes from the phone.
On scenario I can see this happening is if you use an SD card, some Android phones will NOT encrypt an SD card. My Moto G6 will not, my older Samsung will. If you use a utility to move the Joplin notes to the SD card and it's nt encrypted then you could be vulnerable.