Here's a concrete reason why I really think ACLs are needed on the encrypted folder: say some background app wants to access the folder, and for whatever reason you decline (i.e. press "Cancel" instead of entering the password on purpose or by mistake), or you launch app, changes you mind at password prompt (nah, I don't need this app now), and cancel: the app will end up completely confused: it will see an empty folder, and start writing into it. Boom, there's a sensitive data leak! Worse, now the app is potentially in an incoherent state.
On top of that, the next time the app runs properly (because you allowed access this time), Espionage will see an non-empty folder, move it aside (this compounds the security problem), and report a warning to the user, who then has to pay attention, and manually securely delete that extra folder.
This is not a theoretical problem: I've observed this several times so far using Espionage.