I recently put a rather lenghty effort into full disk encrypting my uConsole with NVME SSD and the Debian Trixie image. I did finally get it to work (see this post), but the biggest hurdle was me recognizing that this image does not utilize an initramfs for boot.
When using an encrypted boot partition an initramfs must be present and contain all necessary stuff for initial decryption. So in my case, I have to manually copy the initramfs into the boot partition after every update that touches it.
Raspberry Pi OS Trixie (not sure about Bookworm) does use one and renew it on updates (probably via an update-initramfs hook)
@rex - have you thought about going down the same path, also enabling a initramfs? This would make using disk encryption scenarios much easier.