If you encrypt your partition on Debian you may be subject to a critical flaw in cryptsetup. More details: PoC: CVE-2016-4484French article on ZDNet
It needs a physical access to the machine, and as usual, a physical access allows many things... It needs to reboot the machine. A turn on machine is already in "decrypted mode"...
Debian has corrected the bug, an updated is sufficient.
I agree with you at 90% but keep in mind a console access doesn't always mean physical access think virtual machines, KVM or even remote consoles (like in the Scaleway dashboard for exemple). Anyway, I agree that is a relatively limited flaw but a flaw nevertheless