@Anonymous
Yes, you can have an encryption scope apply to a specific container. You simply need to create an encryption scope. After the encryption scope is created when you create a container, you can specify a default encryption scope for the blobs that are subsequently uploaded to that container. You cannot change or add a default encryption scope for a container after it is created. For more information see Encryption scopes for containers and blobs.
Your super administrator would need access to the encryption key to view the data or download the blobs. If they do not have access to the proper encryption key then they would not be able to read or download the blob. When you download the file it will no longer be subject to encryption and can be read by anyone. I recommend reading About customer-managed keys and Azure Storage encryption for data at rest for a better understanding of how it works.
-------------------------------
Please don’t forget to "Accept the answer" and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.