Understanding how e2e has to be set-up

I just wanted to test e2ee and fail to understand why it does not work. My aim is to have one folder which is e2e encrypted. NC 20.0.10.

What I did is to enable the e2ee app 1.6.3 I did not enable the server server side encryption since I only want that one folder to be encrypted. Since I did not get any error messages I figured that this is fine?

Then I created a subfolder within a shared folder, shared with another nextcloud user on the same instance. With the android client I set the new folder to encrypted and wrote down the 12 word passphrase. The folder is shown as encrypted in the Android client, i.e. its folder icon shows the lock.

Then I started the Windows client which asked for the 12 word passphrase. After that I tried to move a file to the encrypted folder which fails as soon as the client tries to sync with the server. The error message states that MOVE is not allowed. Why not? And if not, why does the nextcloud client allow the moving in the first place and only fails at syncing? Virtual file system is enabled in case that makes a difference.

So I copied the file into the encrypted folder. The client syncs fine. However, the file is not encrypted, i.e. Incan still View it via the web browser or clients which do not have the 12 word passphrase.

Is this because “only new files are encrypted”? I thought that would only apply to server side encryption.

Is it because the folder is a sub-folder of a shared folder?

Is it because server side encryption has to be enabled for e2e encryption of single folders to work?