Why no encrypted /boot?

I’m an Arch user new to Qubes, and I’m curious why Qubes doesn’t encrypt /boot. Grub has long supported encrypting /boot in luks1 partitions, and I believe now supports it even in luks2 partitions. I assume Qubes has some reason for still preferring the old behavior with unencrypted /boot. Can someone explain, please?


You can find the answer here:
Can we get rid of the unencrypted /boot partition in Q4.1? · Issue #6151 · QubesOS/qubes-issues · GitHub
Consider encrypting /boot by default · Issue #2442 · QubesOS/qubes-issues · GitHub