The issues with encfs are important for the user to know about, and for that reason Vaults shows the information about the issues.

The problems the audit pointed out relate to using encfs in a situation where the encrypted data is synced to a remote data storage that the attacker has access to. If encfs is used locally only, the encryption it has is good enough. Apart from the message about the security of encfs, an additional deterrent of using it with online syncing is that you can not choose the location of the encrypted data storage when using encfs as the backend.

After the recent news with xz, I'm starting to think that the fact we don't have a new version of encfs is a good thing - we have a version that has been audited and for which we know the faults and when it should and shouldn't be used.

For the things that have active development, an audit (if they have been audited at all) quickly becomes obsolete and new patches might worsen the security. :)

good points! Interesting, gocryptfs had an audit too, with basically the same result. If an attacker has access to the files on the cloud, they can change things or I dont remember exactly what and hack the decryption like that.

The thing is that when people use local disk encryption, vaults will mainly be used for clouds, so this is the exact scenario to protect against.

I noticed the warning message, and will see if I would want to change something. 

I dont know when gocryptfs and encfs could be recommended then. I also dont know if Cryptomator secures against these threats, and if it is licensed so it could be used (there is no cli interface!).

Agree kind of on the xz comment I guess. Audits are better than "the eyes of the world".