Not sure if you can try to do that with the workflow app, so that some rules just apply to the parent folder only. Or if you can write your own workflow that could allow that.
Dirty workaround: try with the API to check on a regular basis if the folder was shared and un-share if it was shared by accident.