There was a post I was going to reply to but @tessus locked it
I am not a developer just a user and these opinions are mine alone.
Being FOSS does not make an application secure. I trust Joplin not to be naughty with my data but that is based on the sensitivity of the data I store. Being FOSS means that you or your Data Security team can examine the code to ensure that it is suitable for the data to be stored. It also means that instead of accepting the pre-built application download you can build it yourself safe in the knowledge that the code in the application is as published. But it’s the features an application has, as well as the underlying operating system, that needs to be considered. In my previous employment Joplin would not have passed scrutiny because it has the ability to sync over the Internet. Even though you need not use it the fact that it was there would not have been acceptable. Also running a mobile application on any OS that had something like Google services running on it would have prevented its implementaion.
If anyone thinking about mobile app locks would search this forum for “app lock”, “password lock” or similar they would see many posts about it. The main argument against this is that if your device is not intrinsically secure no password / fingerprint lock is going to help. A Cellebrite UFED will happily read your data regardless. For a UFED a password lock is an inconvenience not a barrier. Then, when your data is travelling over the Internet, it actually has decent protection. But when it lands at the sync target you are at the mercy of whoever runs the cloud service. Joplin provides End to End Encryption (E2EE) but, in my opinion, that should only be considered as suitable for preventing cloud storage providers from snooping on your data to target you with ads. If you have really sensitive data you should not be storing it on a public cloud service. i.e. something you do not control.
Personally I feel that Joplin’s approach is one of the most realistic and mature out there. It does not make any spurious claims, and basically says your whole device security (mobile or desktop) as well as your IT security policy is more important than individual app security. And that is something you need to deal with…