BTRFS has a concept called a subvolume. You are allowed to mount it just like any other device. This is an example /etc/fstab I’ve copied from somewhere some time ago.
/efi (or /boot, or /boot/efi, whatever floats your boat) still has to be a separate vfat partition, but all the other mounts are, technically speaking, the same partition mounted many times with a different subvolume set as the target.
Obviously, you don’t need to have all of them separated like this, but it allows you to fine tune the parts of system that do get snapshot.
My suggestion would be to setup a keyfile to unlock the partition automatically. You can use your EFI partition to store the keyfile, which makes no sense from security perspective; or you can keep it on a usb drive. Machine will ask for password if usb is not present, or boot straight up if it is.
You’re pointing at the ugliest corner there is, and yet I’d like to point out that there’s been that kind of attack yesterday and the day before; and the tools and people reacted well enough for it to go unnoticed for most folk on the fediverse.
Honestly, for a long term usage like this a rolling release distro is better. I’ve never not had massive issues upgrading ubuntu release to release, but I’ve only ever had minor ones on arch and pretty much nothing on gentoo. Arch is bleeding edge, so can’t recommend it to you all that much and gentoo has some learning curve initially. But I’ve heard good things of whatever rolling names are from fedora and opensuse.
Ah, I had misunderstood your /boot situation previously. There’s an easy way to fix it by backing up current content of boot, unmounting it, creating some dir somewhere where there’s space (/tempboot was my choice last time), bind mounting it to /boot and going through the apt process. Then unmount the bind, mount the real boot, delete everything except currently booted kernel stuff, copy all the things from /tempboot update the initrd and grub. Et voila!
You won’t. Arch has very little glue that holds it together and the components are quite robust. Buntus of this world, on the other hand, have plenty of glue to enforce their way. And it might be good for first timers, but definitely gets in a way as you start learning the system. My last annoyance like this was disabling gdm - it just kept coming back. Some script somewhere was making sure thr service was running no matter what.