There are several posts about optimizing storage when using Cryptomator or concerns about seeing your data unencrypted in the systems default file browser. To address these questions and concerns, we want to share a more hidden fact about Cryptomator.
Cryptomator never stores data inside a vault unencrypted.* It only decrypts on-the-fly, i.e. only on request. As soon as the data is moved into your vault, on your hard drive/cloud storage only the encrypted data is stored. Your data is also not duplicated and you cannot save local space by deleting/moving unencrypted data you see in your vault.
For performance reasons, Cryptomator caches data unencrypted in (volatile) RAM. But reading out this data requires significant effort and if it is possible, your whole system might already be mitigated. Additionally, local security is not the main security target of Cryptomator.
*other applications including your OS might do it nonetheless!