@nicole.faerber perhaps an interesting read - although you probably already considered: https://blog.cryptographyengineering.com/2016/11/24/android-n-encryption/
My Librem13 usually only goes to sleep while not working with it - so encryption is not active. Probably my usage of the laptop is a little uncommon. But with phones it will be VERY common not to shut it down and have it run 24/7.
If so, the out-of-the-box filesystem-encryption PureOS delivers is absolutely useless for the Librem5 - worst case: User switches on his smartphone on first usage and never switches it off. Means: After the first de-cryption no encryption will ever happen.
I remember that beside full-disc-encryption-methods there are also some per-file-encryptions with focus on cloud-usage where you don’t like to upload the full image, but only small chunks. There was one newer system by a student from Freiburg or so university that sounded quite promising.
Perhaps at least worth a thought.
Happy new year and much luck with Floss-Shop and Purism
PS: Above mentioned might even be a topic where the Librem5 could really shine against Android or even Apple’s phones. Switched off - full protection. Locked - phonecalls still possible, data encrypted.