What does LUKS actually protect?
LUKS (Linux Unified Key Setup) encrypts a disk so that the bytes on it mean nothing without the passphrase. The protection is for data at rest: the moments when the machine is off or the drive is somewhere it should not be. Pull the drive and plug it into another computer, steal the box while it is powered down, or send a dead disk back under warranty, and what would otherwise be a plain copy of your files is just ciphertext.
The threat it answers is physical, not network. For a self-hosted AI box that holds models, keys, and the odd secret, that covers a real and boring risk: hardware leaves the building more often than people expect. Turn it on once, at install time, and forget it is there.
What does LUKS not protect?
A running, unlocked machine. Once you have typed the passphrase at boot, the disk is open for as long as the system is up. LUKS does nothing about an attacker who is already on the live machine, a remote compromise, or malware. Those are jobs for a firewall, access control, and not exposing services you did not mean to.
It also does nothing about a weak passphrase. The encryption is only as strong as the secret in front of it, so a guessable phrase undoes the whole point. And it does not reach your backups: a copy written out somewhere else is only encrypted if you encrypted it there too, which is a separate decision from LUKS on the primary disk.