Currently, it is mostly just the org keys (one symmetric key per org, no matter how the collections are divided), which is decrypted with your asymmetric key, which in turn is decrypted using your user symmetric key.
I’m wording this so vaguely though because “cipher key” encryption is around the corner, which has one encryption key per cipher (which in turn is encrypted using your user symmetric key). This helps prevent a certain class of attack against the vaults encryption and integrity. Although my assumption is that the main point of this feature is to make implementing “item sharing” easier, because then the client just needs to share the cipher’s encryption key with the account the item is shared to.
As far as I can tell, vaults will be completely migrated to cipherkey encryption at some point.