Why can’t the user enter the encryption passphrase in DSM, which is actually the default in LUKS and allowed in TrueNAS etc?

The DSM itself lives in an unencrypted partition or volume. Applications with data in encrypted volumes will be inaccessible until the volumes are unlocked.

As usual, there is an easy workaround. You can run a KMIP server in a docker container and set up an external keystore. Once synology allows you to proceed with volume encryption, you can discard the KMIP server if you want and use the recovery keys.