this setup has an encrypted root partition. without the key to it tampering with the OS is impossible (see evil maid attack). to save the security concious user the need to remember a strong passphrase for every single boot the key is held in the TPM and bound to a value in PCR #7 that indicates the booted OS was signed with the user's keys (otherwise the key remains practicaly inaccessible), meaning a tampered OS can't access the data and as long as the base OS won't be easily hackable without a password this is good even against limited hardware access.

outside of this this is just a minimal artix linux setup using dinit as the init system.