What remount-secure does is easy to log indeed. That always worked. What was hard to debug was some random unrelated service breaking.
That would be a good solution.
Before piling up more and more initramfs stuff, could you port all of Whonix to dracut and implement this using a dracut hook?