Impersonate works with per-user encryption enabled

I’ve enabled the default encryption app and enabled per-user encryption by running occ encryption:disable-master-key. However, I can still use the impersonate app to log into users’ accounts and view their files. Shouldn’t per-user encryption prevent me from doing this? I’d like to set up NC so that only the user can access their files, not admins.

Addendum: is it possible to set this up so that sharing still works? I see that there’s a share key created, but I haven’t traced the code thoroughly enough to see how that all works.