Normal/classical FDE doesn't truly protect integrity, only confidentiality. Supposedly LUKS2 allows you to run with --integrity, but it's an extra layer of I/O amplification, and if you're willing to take that hit then there's less incentive not to just use an external drive. https://security.stackexchange.com/questions/87367/does-luks...

As for Secure Boot, maybe? I haven't thought through how that would help in this context, but my instinct is to ask how you'd do the binding between “I intend to boot Y instead of X” and “only accept the boot signature for Y instead of X”, so that malware can't try to unexpectedly substitute X. It feels like there's probably places for attackers to mess around here unless you're very careful.