Bug#858009: Debian "Full Disk Encryption" is a misnomer, /boot not encrypted, Evil Maid attacks, enable grub cryptodisk, improve guided encrypted partitioning
The Debian Stretch RC2 installer and previous versions do not allow Full Disk Encryption since /boot is more vulnerable to Evil Maid attacks due to it being unencrypted. Securing /boot makes Evil Maid attacks slightly more difficult, raising the cost / time for an adversary with physical access.
I suggest looking at prior bugs from over a year ago suggesting how to start fixing this by enabling the cryptodisk option for grub, then modifying the debian-installer flows to automatically partition using a base encrypted volume for which all other partitions / LVM2 groups sit atop of, including /boot. This would hopefully replace the current and slightly more insecure "Guided - Use Entire Disk and Set Up Encrypted LVM..." option.
Tested Debian Stretch RC2 and prior versions.