Am 05.12.19 um 13:32 schrieb Lennart Poettering:

Well, the way this has been traditionally done is that the lock screen
is displayed by a program running under the user's identity and that
the user's data is entirely unlocked the entire time during suspend,

That depends on what you have chosen "sleep" or "hibernate" .

If the device just sleeps, your data is unprotected, as the key could be in your still powered memory bank.

With hibernation, as far as I have seen it with my devices, the hw stops entirely after saving the memory state to disk,
an encrypted disk I may add. On boot, it asks for the decryption keys as it would normally do, finds the hibernate signature
on swap ( i presume / which is also encrypted ) and restores memory. I don't see a way for an attack here.

I think your approach is not to the full extent of all possible user data locations. Some examples:

/var/lib/mysql MariaDB SQL Database ( required i.e. by MythTV )
/var/www/ Apache Webserver ( required i.e. by RoundCube, BackupPC or Gnome User-Share )

if those aren't common enough, this will be:

/media/ Additional Storage Drives

It's quite common to have additional storage space on a desktop pc, which do not exactly extend /home/ space, more general space. If you have more than one "user" on a system, you can't mount it into /home/username/path as of the rights management.

When I had to estimate my system, it's a hundred GB in /home/ against a few TB != /home . Anyone who as ever bought a second drive for his/her/it pc , will face this problem, or has to learn to use LVM. I don't think it will work for the majority of userbase. It will only work for simple cases.

best regards,
Marius