TLDR: Use a secure passphrase if you want the device protected against any resourceful actor When most distros provide encryption with LUKS they at least ask you to set up a credential. Almost all distros just ask for a password. They don't seamlessly allow setting up in other ways in a UI like BitLocker does or in the installer. You often need to read up on docs and such which can be tiresome. LUKS full disk encryption in how most users would know it would only be safe if they used a long, secure passphrase that would be impossible to brute force. A short 6 digit numeric PIN works for some phones because a secure element throttles unlock attempts but would be brute forced very quickly on LUKS, VeraCrypt and so on because they aren't using a TPM for throttling. Secureblue (hardened Linux distro we like) supports LUKS with TPM and also FIDO2.

I hear great things about secureblue but I still can't overcome my grudge over RPMhell back in the day. My LUKS pw is NOT 6 characters and for bonus points I have no idea what it is thanks to my onlykey. FIDO2 LUKS sounds even better for sure.