I stop the container before I shut the system - all my config and state is maintained.
I also store all container mount points on my data drives. It just keeps it clean for me anyway. Once everything is restarted and LUKs is unlocked I just restart containers.
One thing to note this won't work if the system crashes as the containers will restart on reboot as they never got stopped. So in that case you'll probably end up with the unencrypted files being created again.
OK
I think I'd like to try and fix the LUKS not mounting on its own first, and then I'll move to try some optimizations. Because that part should work, right?