Great hack. But there is one exception

[JavaScriptDude]

Love this and it works great.

However, there is one way to bypass this lock that users should be made aware of. Any USB devices connected at boot may bypass this lock. This can be mitigated by first ensuring that the user has full disk encryption enabled to force a password before linux boot and secondly to physically inspect your computer before booting to ensure it has no rogue USB devices connected.

[cryptolok]

Thanks :)

Indeed, while booting the default option is set to true, thus it will automount everything as a hungry Russian soldier.

Yet, FDE (full disk encryption) won't mitigate it since, the kernel is booted to prompt for a password in order to get the DEK (disk encryption key), at least this is the case for LUKS (Linux Unified Key Setup). Physical inspection would work though :)
I believe that changing the default value will need a kernel recompilation (since not accessible by systemctl), that's why I suggested a crontab as a KISS solution. Perhaps, it's possible with a GRUB customization...
After all, if you don't have a physical control over your PC, pretty nothing will save you :)

Anyway, if you have a solution for the kernel option without a recompilation that would be a great contribution :)