Isn’t note_resources populated via a background service? How often does that population get triggered?
Depending on those answers, can we really rely on those values to determine whether encrypt / decrypt / copy of a resource should happen?
Regarding the idea to copy resources used in other notes when encrypted, this could create orphaned duplicate resources if you unencrypt those notes, unless you handle clean up too.
Also, bear in mind that note_resources I don’t think considers revisions. So there needs to be handling for viewing encrypted / unencrypted revisions which have encrypted / unencrypted resources in the revision viewers.
And additionally, you need to ensure that resources in encrypted notes do not get automatically deleted. See comment from one of the other proposals: