No problem. Thanks to your previous comments, I discovered that VirtualBox allows me to create a NVMe controller, which let me see how it worked. So it was all good — I learned something (always good to do); and I made the script both more robust and more flexible.
That's not necessary, because the full-system encryption includes /boot within LVM, which is in turn within LUKS. It all works. The important point is the next one that you make:
That's the big one. We need to have proper signing on the EFI System Partition, because that's the only vector for malware on a locked machine. Unfortunately, it is way beyond my level of competence to even comment on how.
I refer you to the bug's comment #25 by Jonathan Polom, who explains a bit more about the signing flaw. I'd love to raise a bug report for this shortcoming, but I have insufficient knowledge to even begin to frame the report.
Bookmarks