Well, I think you already mentioned the key thing about encrypting disks. It’s not about protections when the block device is already decrypted and the filesystem already mount. At that point your disks are decrypted and anyone with or without physical access to your device, if gaining any access to it you’re toast. That’s true, but that’s not what disks encryption help you with, and you already mentioned. If you turn off your device, and someone steals it, or gains access to it, they can’t look at your contents, that’s it. That wouldn’t prevent malicious people, to instead plant something through UEFI for example, and you are right about that case. And if you never turn off your computer, and just do sleep to memory, then you depend on how strong your password is, or any other authentication mechanism you have…

Can you explain why if someone get access to your encrypted disk, they would have access to its contents?

Well it’s a bit confusing. On Guix’ wiki General features you can read:

Guix keeps track of these references automatically so that installed packages can be garbage collected when no other package depends on them - at the cost of greater storage requirements, all upgrades in Guix are guaranteed to be both atomic and can be rolled back.

The roll-back feature of Guix is inherited from the design of Nix and is rarely found in other operating systems, since it requires an unorthodox approach to how the system should function (see MicroOS).

And then on its wiki Guix System (operating system) Roll-back you can read:

This is accomplished by a combination of Guix’s functional package manager, which treats each package and system configuration as an immutable and reproducible entity,[58] and the generation system which maintains a history of system configurations as “generations.”

So the system configurations on a Guix system are actually immutable, as opposed to regular gnu+linux distributions, which can change the system configuration on the fly. What else is immutable on Guix, I can’t tell, but at least you can not change its system configs. What is atomic is the upgrades.

I’m not sure, but as Guix borrowed these properties from Nix, I’d think this applies to Nix as well.

In other words, at least the Guix system has immutable components. And further, the system config which is immutable, is also declarative. Combining those two things might be intimidating, since it’s not like on the fly one can go and change the system config, which might be required when debugging some misbehavior, and it’s what most distros document, then one needs to learn about guile, and a bit about functional programming I guess or at least their basics… Deploying systems might take advantage of such declarative configurations though…