I live in a country in which the government can demand a person decrypt a drive. My threat model is having someone corrupt demand I decrypt.
I am not worried about the first demand to decrypt. I am worried that if I do decrypt that there will be some sort of information about a hidden partition that could be recovered.
How live is live mode? If I use something like gnome-boxes and load hidden boxes during live mode, and if these boxes are in a hidden partition, will there be any forensic evidence left after live mode that I used hidden partitions?
Can I write to home directory during live mode? Can application write to the home directory during live mode or cache anything? Many applications use .directories in home that are hidden to store files. May this still happen during live mode?
It sounds like you’re talking about using some form of plausibly deniable encryption. This is generally a bad idea and is not easy to attempt in the first place, see:
Live mode attempts to mount all persistent and many non-persistent filesystems read-only and mounts read/write overlays on top of them if possible. If you mount partitions or drives that were not mounted at bootup, or if you write to locations that livecheck warns you are mounted read/write, any changes made to those locations will be persistent.
If your system has a large quantity of RAM, it may be possible to run VMs without leaving persistent data on the system by creating them while in live mode, and then accepting the fact that they will be wiped on shutdown. This will require that your system has enough RAM to store the entire contents of the VM disk image in memory.