Any chance you can add getting the LUKS key from OTP on boot with initramfs? It's pretty easy with https://github.com/raspberrypi/rpi-eeprom/blob/e430a41e7323a1e28fb42b53cf79e5ba9b5ee975/tools/rpi-otp-private-key

This would make it a lot more convenient and secure. Namely can sign the boot loader to prevent it from being modified then just decrypt LUKS automatically for reasonably security.

Sure you can dump the key if you manage root access but without root access, it seems secure.