safest approach: only encrypt resources exclusively used by encrypted notes. if shared, leave unencrypted and surface a UI warning when locking.
I think that is a fair approach. But do you have an idea how to check if revisions are used in unencrypted notes though? I know that either the revision or resource service does some kind of scan to check for resources not used anymore in notes or revisions, but I’m not sure how efficient it is, as it may need to scan the the body of all notes and revisions? Can you ensure this validation could be quick if the user has many notes and / or revisions?
on scope: i'd keep this project to a single vault master key. named key architecture and multi-plugin support is interesting but better as a follow-up.
Fair enough. If the encrypted note key is a specific key for that purpose, then it would be weird to add a UI in the core app to manage the key for a feature which does not exist in the core app. So the implementation must be in the core app to enable it to be synced, but the UI to manage the key should be implemented in the plugin instead, and appropriate apis must be implemented to enable this