Keyfile included in unencrypted partition
I just found the following worrying setting: On my full-disk encrypted Manjaro (i3) machine, the mkinitcpio.conf included the crypto_keyfile.bin that unlocks all partitions. As this file is then put in the initramfs, which in turn is on the unencrypted boot-partition, all effects of FDE are nullified. This has been confirmed on a Manjaro Gnome install. The setting seems to originate from here https://gitlab.manjaro.org/applications/calamares/-/blob/development/src/modules/initcpiocfg/main.py#L203 . Given the naming of the variable checked, unencrypted_separate_root, it would indicate this was meant for cases when the boot-partition itself was on an encrypted device, however it seems like the check is flawed given the only boot-mountpoint now is /boot/efi.