I wrote a competing implementation (I wasn't aware of gocryptfs before) at https://github.com/netheril96/securefs. Many points are similar: for example, a random file ID, 4KiB blocks encrypted with AES-GCM mixed with the ID and block number, sparse file support. The major difference is
* The directory structure. GoCryptFS goes the easy route of encrypting filenames, while mine has its own directory implementation independent of the underlying filesystem. Mine is theoretically safer as it never reuses the IV, but the safety margin is probably so slim that it doesn't matter in practice.
* In addition to authenticating each blocks individually, mine has a HMAC that authenticates the concatenation of all block level IVs and GHASHs. It prevents the attack where replacing a block with its past revision does not show up as invalid.
* The directory structure. GoCryptFS goes the easy route of encrypting filenames, while mine has its own directory implementation independent of the underlying filesystem. Mine is theoretically safer as it never reuses the IV, but the safety margin is probably so slim that it doesn't matter in practice.
* In addition to authenticating each blocks individually, mine has a HMAC that authenticates the concatenation of all block level IVs and GHASHs. It prevents the attack where replacing a block with its past revision does not show up as invalid.