Espionage uses an event system called iSpy that allows it to detect when certain events happen. For example, when a user double-clicks on a protected folder in the Finder, iSpy sends an event to Espionage. In addition, iSpy gives Espionage the ability to allow or deny the operation that caused the event.
Espionage creates encrypted folders by placing the contents of a folder into a file called a disk image. This is actually the standard method for encrypting data on Mac OS X (FileVault works in the same way). The original folder is then placed in the user's trash, in its place a new folder is created with the same name, containing the disk image.
Let's say we encrypted a folder on our Desktop called "Secret", it would have the following path:
If we chose to encrypt its contents using a sparsebundle, then the disk image (which is invisible to the Finder) is located here:
When the folder is unlocked, the disk image is moved into the parent folder (Desktop):
The disk image is mounted is a special EspionageMounts folder, with the format: <username>/<number>/<foldername>, and is guaranteed to be the the same each time the folder is mounted.
The "Secret" folder should now be empty, so it's deleted (otherwise it's renamed to "Secret-saved"). In its place a symbolic link is created that points to the above mount point. Other users do not have access to this mount-point, and it will disappear automatically if you logout, restart, or even if the system crashes or is forced to shutdown.
When the folder is locked, these steps are reversed, and the folder is re-watched by Espionage for access.