Does the lock down of user with user-sysmaint-split relate to the issues with Veracrypt and Zulucrypt and non sysmaint “user” being able to use them?
Whonix user isolation (user-sysmaint-split) breaks VeraCrypt workflow - Support - Whonix Forum
FWIW Tails uses polkit rules for org.freedesktop.udisks2.open-device
Veracrypt and Zulucrypt both use udisks2 and cryptsetup directly right?