I have difficulties wrapping my head around this recommendation:

The admin account can also be removed from FileVault.

What is the benefit of not being able to unlock the disk using the administrator account? I thought the admin account is supposed to be more difficult to be compromised than the normal user account. So why would only the user account get the FileVault key?

I think I understand the technical details, but don't understand the threat scenario. I would appreciate any clarification.

Thank you for your time 🙂

I can't think of any particularly strong reason to do this, other than as a general separation of privilege, but even then the risk is difficult to comprehend. Feel free to remove or change that directive.

Also from https://support.apple.com/HT203998

If FileVault is enabled, a hidden user may continue to appear in the initial login window after the computer is turned on or restarted.

which leads the whole thing ad absurdum

Thanks for the fix!