The "root account is locked" is due to a 2015 Debian change to harden security to prevent the single user mode passwordless shell. Link to the bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 IIRC it was meant more for publicly exposed systems, as the security benefits for an already fully encrypted system are very small, but it causes a lot of pain when trying to recover your system. I disabled it on mine with a workaround patch that's in the bug report.

This seems to have begun to occur more frequently to me lately. It happens after almost every suspend after a longer on time, having to resuspend and resume each time to fix it. I updated the firmware around a week ago (this is a Librem 15 v3).
Also I wouldn't call the resuspend/resume a "fix", but rather a workaround.

I think this is relevant: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930696
IMO a keyscript is unnecessary.
I ran into it when migrating my unencrypted PureOS to a new disk and adding LUKS to it at the same time (I first tried a fresh install but the installer failed for which I already opened a separate bug). I wrote up a quick guide on how to do that on Pureos/Debian, by the way: https://github.com/jjakob/wiki/wiki/Migrating-an-unencrypted-PureOS-Debian-install-to-fully-encrypted
Also getting rid of the unencrypted /boot partition would largely improve the security, I would highly recommend it as the default for the encrypted install. There's no need to enter the passphrase twice if a keyfile is used, and it works flawlessly.

Case 4)
No prior partitions.