Full-Diskencryption ( /boot included ) is the only way to protect the system itself. Anything else is simply not secure.systemd-homed doesn't depend on /etc/passwd or /etc/shadow for authentication. By all means its security guarantees should be evaluated. https://github.com/systemd/systemd/pull/14096