In the case of `/home` directory being suggested as protected by the system-wide encryption key (and use dm-integrity for an authenticated approach) over (and instead of) the separate home-specific encryption mechanism (as well as system-wide file system resulting in double-encryption effort), ...
Instead of leveraging the same system-wide disk encryption on the `/home` directory and instead, use a separate encryption volume for each user under its home directory?
This way, the choice is left to the user who can choose their own algorithm (as well as its own authenticator method) for an encryption of its own home directory; it still reap the benefit of not doing a double-encrypting;
Also in the case of hijacked key scenario, an integrity failure of a boot would not even attempt to compromise or access the user data (at '/home' data resting state).
Instead of leveraging the same system-wide disk encryption on the `/home` directory and instead, use a separate encryption volume for each user under its home directory?
This way, the choice is left to the user who can choose their own algorithm (as well as its own authenticator method) for an encryption of its own home directory; it still reap the benefit of not doing a double-encrypting;
Also in the case of hijacked key scenario, an integrity failure of a boot would not even attempt to compromise or access the user data (at '/home' data resting state).