I’ve pushed various improvements to security-misc/usr/bin/remount-secure at master · Kicksecure/security-misc · GitHub but as mentioned in
either the systemd unit needs to be fixed (which nobody knows how to do) or it has to be run from initramfs. When this was discussed earlier, we were based on initramfs-tools. Noways on dracut. It might be simpler to implement this using dracut.