Having read through this thread in detail, I'd have a few suspicions about the original aim of the thread.
When whole-disk encryption was suggested (requiring a password at boot time):
To my mind, the desire to secure Node-RED data (presumably as it contains a plethora of credentials for IoT cloud services?) is a noble one, and undoubtedly a common one.
But this comment above, combined with the earlier stated goal of wanting to make sure nobody runs off with the SD card of a Pi, I would argue makes this one a niche case.
I expect the majority of users would want to protect against online attack, but the point being discussed is the (very reasonable) possibility of physical theft. Given this, the salient point would be:
to which the response was:
This makes the enquiry even more niche. Maybe I'm jumping to conclusions here but the idea that you couldn't do software updates over SSH presumably means that Pis are being installed without network connections. And this is why the SD slot needs to be exposed. i.e. someone has actually built this update procedure into their business plan, or somesuch.
Also to be concerned with theft of data from an SD card, but NOT be concerned with the theft of the Pi itself, that's even more niche. i.e. someone who already has physical access to the room or location where the Pi is.
i.e. someone known to you.
Sounds like @dennishvo has already identified from whom this genuine risk of theft comes from. Someone who works with the unit, know what it does, and knows how to recover raw data from an SD card, knows where to look for Node-RED configuration files, and knows how to build a Node-RED server to import / inspect them to steal his work. For example, an IT Engineer. Or those people who are charged with the job of updating SD cards.
Sounds to me like someone who is in need of a security consultant for their specific use case.
Again, hope I haven't jumped to too many conclusions here, but I am somewhat bemused by the original questions "what are others doing" or "I haven't seen a satisfactory answer"