Definitely! However, the chance of them doing that is relatively small and the usability problem is a lot bigger than the risk of falling victim of an NSA red letter order.
> You can also have TPM + PIN since a few versions of systemd ago. I have set this up on my work laptop and seems to work well enough.
That's great! Do you happen to know a guide on how to set that up? The guides I can find use TPM to auto-unlock OR provide a PIN/password.
