OK - tentative success…
I’ve setup 2 veracrypt “crypts”, linked my RSL (resilio sync) sync folders to those mounts, and it seems to be working… unfortunately RSL knows they’re links, so I’m syncing e.g. /media/veracrypt1 and /media/veracrypt2, to more meaningful named “targets” on my other RSL peer machines…
But so far, so good… I feel a bit more secure anyway… got the warm fuzzies in the cockles of my heart 
anyway…
Rebooting will be a bit of a PITA - I’ve set RSL to manual start (it’s a simple “systemctl --user start resilio-sync” away), so I can manually mount the veracrypt volumes beforehand… till I get my head around doing the mounts from a shell script (but then storing the mount arguments in a plain text file would kinda defeat the whole purpose of this exercise!)…
-note-
still got a sense of impending doom however - envisioning a nightmare scenario should I forget my encryption pass phrase, when that pass phrase is stored in my KeepAss2 database, which is itself, stored inside the freaking VeraCrypt crypt!
But there are ways and means… I can always try and grab stuff off other machines that aren’t encrypting my resilio shares (note RSL does encrypt the p2p sync data traffic)…