I had exactly the same problem, if you need a solution, i got one. (simple but working)
Situation:
We have just 3 shares where users should be able to work on, sync is also not allowed and handled by workflow app, further we also run in the problem, that users can move files from share to either root folder or a user created subfolder in user space.
This is a big issue, as you can loose data, and also in 2023 i found no way to take care of it with all build in features in nextcloud.
So i adjusted it by a simple way:
I add a check to the moveFileFunction, that takes care about source and target of move operation. (just one file needs to be changed)
If MoveTarget lays in the SourceRoot Path, then move is allowed,
otherwise it is forbidden and response to user.
Example of protect moving files:
i am at → /EXT_Storage_Local/ and try to move the New text file.md to → /GroupFolder_Elektro
as you can see on image, move operation fails and gives user a message as this move lays not in the allowed RootPath.
Example of allowed moving files:
i am at → /EXT_Storage_Local/ and try to move the New text file.md to → /EXT_Storage_Local/sub1/sub2/sub3
Tested on: NC 27.1.2
At moment i prepare a github issue for it, will add link later, when it is online.
If you are still looking for a solution - just give me some feedback - thx