I tolerate systemd as I want to use a popular distro for desktop use, but given the project's dismal security record (and attitude!) I can't trust systemd explicitly handling cryptographic secrets. No thank you; there are better options available https://wiki.archlinux.org/index.php/YubiKey#Full_disk_encry...
By my understanding, systemd is just handling the unlocking process and merely provides LUKS with your password/token communication. LUKS is the part that actually needs to be secure beyond systemd just not emailing your password to the gubment/north korea/4chan. LUKS unlocks its key store with the info you provide it which is used to decrypt the drive.