It was stated recently that the Librem 5 will now automatically re-encrypt on first boot, partly addressing the concern. So I guess the question would be: is the same change available on the laptops?
Also, even this is not a substitute for anti-interdiction.
Sorry, I didn’t check. To avoid the risks discussed in this thread I’d propose the following:
If you do not check the sources and compile them yourself you need to have a minimum of trust towards Debian, Purism and the community using these products.
That said:
Get your Librem and install the software/firmware by yourself taking care to make sure you know what you install.
If anybody at Purism or on the way somehow changed the system it would be overwritten. If anybody copied your luks encryption key you’d generate a new one.
You need to trust the hardware (at least I do with the kind of knowledge I have) and you need to trust the people providing the software and you need to trust in the community using all that: we are the people who would identify problems in hardware or code nobody thought about while producing them or nobody on the producer side became aware off.