This leads me to believe that the bootleader before loader at least has some decryption capabilities built in.Enable booting from this encrypted root
filesystem. The boot loader prompts for the
passphrase and loads loader(8) from the en-
crypted partition
Yeah, but before loading the kernel you will be asked for password and it will also be verified (and it will be even used to decrypt the system boot disk later).A geli encrypted disk actually boots from a non-encrypted boot. That loads the kernel (and geli(8)) which is then able to unlock the encrypted part of the disk.