& is a piece of regsub syntax (also used in traditional text editors with regex search/replace) and is replaced by the "entire matched string" each time it occurs in the replacement text (\0 is also used); to put an actual & in the replacement text, use \&.
In this case, the idea is to map the special characters by replacing each of them with a [] expression that will later be evaluated (by calling subst).
Example: the folder name set str {ab[cd} (even to set it I have to use {} or Jim will not be happy).
The expression [regsub -all -- {[^A-Za-z0-9@*_+-./]+} $str {[::js::_escape {&}]}] evaluates to ab[::js::_escape {[}]cd. Then the call to subst causes the embedded [] expression to be evaluated, passing [ to the ::js::_escape proc and yielding ab%5Bcd.
In the above, the [^...] bit is another regular expression element meaning "characters that are not in the listed alphanumeric ranges nor are any of the further listed allowed special characters; this again needs {} around it to avoid the [] being interpreted as command substitution. In this case I decided to handle sequences of such special characters in one call to the escaping routine, hence the + meaning "1 or more" special characters; I didn't do any performance tests of this approach against replacing special characters individually with a slightly simpler escaping routine.
Whereas, with [regsub -all -- {[^A-Za-z0-9@*_+-./]+} $str {[::js::_escape "&"]}], we get ab[::js::_escape "["]cd which causes the unmatched "[" diagnostic when subst causes it to be evaluated. I'm sure a Russian meerkat would have something to say about this.
