/dev/diskXsX would be the actual partition on the drive. If the partition is HFS+ (unencrypted), it would have a partition type of "Apple_HFS" and it would have a mapping table which tells which sectors are used for that partition and this is used to determine which sectors are free. For an encrypted drive, /dev/diskX would be the "virtual" drive. There is a corresponding /dev/diskXsX entry for the /dev/diskX encrypted virtual drive but that'll have a type of "Apple_CoreStorage" (not "Apple_HFS"). The virtual /dev/diskX drive is the unlocked encrypted partition and will have a partition type of "Apple_HFS" and this has the correct sector mapping table need to identify which sectors are not used. If you decline to enter the password for the encrypted disk (or partition), the virtual drive /dev/diskX will not be created.
In your example, you said /dev/disk2s2 and /dev/disk2. That should not be the actual case. What I typically see is if /dev/disk2s2 exists, then some different number would be used for the encrypted drive, like dev/disk3. If you actually have a /dev/disk2s2 and an encrypted drive /dev/disk2, that would be strange.