Sorry LE and WLAN we are not friends. I always use wired.
The .kodi mount in a extra partition I did too for testing. You even can do that with ext4 FS encryption without extra partition. But the ext4 in FS encryptuon is kind of bad documented.
My goal was/is the same: take out one fully encrypted system and all the rest is gone no cache or metadata left.
NBDE with tang and clevis is very cool for that. I do that all the time with any RHEL and clones. At work with hundreds of servers.