Thanks! Exactly, client encrypts before syncing. Decryption keys are wrapped/encrypted with your password. If you change the password, only the decryption keys are re-encrypted, not your notes.

Smart approach with the key wrapping. Re-encrypting every note on a password change would be brutal at scale. Do you have a recovery path if someone forgets their password, or is it truly zero-knowledge where the data is just gone?