If you encrypt your partition on Debian you may be subject to a critical flaw in cryptsetup. More details:
PoC: CVE-2016-4484
French article on ZDNet
It needs a physical access to the machine, and as usual, a physical access allows many things…
It needs to reboot the machine. A turn on machine is already in “decrypted mode”…
Debian has corrected the bug, an updated is sufficient.
I agree with you at 90% but keep in mind a console access doesn’t always mean physical access think virtual machines, KVM or even remote consoles (like in the Scaleway dashboard for exemple).
Anyway, I agree that is a relatively limited flaw but a flaw nevertheless 