I'm assuming he specifically mentioned encrypting /home because it's on a different partition/disk? I'm guessing /usr is on the root partition which he said he encrypts.

I guess that /usr is probably on the same partition as his root.. But depending on the distro, and how the system is managed; it may be the case that every single file in /usr comes from a package, and can be cryptographically verified using your package manager (this is certainly possible with RedHat, Debian + derivatives at least). As long as /var or wherever your package DB lives is encrypted..

>I really do not understand the point of encrypting a subsection of your drive.

To prevent people from reading sensitive data on a stolen/lost laptop.

Everything except /home is on the root filesystem. I've never seen the point in loads of mountpoints.

It's a legacy thing from running UNIX machines with small'ish hard drives. A rogue process' log file could fill the root volume and prevent logins to the system. That's why /var/log or /var was on its own mountpoint/partition. It was much more of a UNIX sysadmin thing than a LINUX sysadmin thing, as EXT2 reserved space for root to do things.

Historical reasons aside, some operating systems (like OpenBSD) are designed to be able to implement different security policies by filesystem. For example, you could mark a given filesystem as executable or non-executable, adding yet another layer of security (at least policy-wise) to a system. And really, with things like LVM and btrfs, there's little reason why this is a bad idea anymore, since expanding subvolumes/LVs is generally trivial.

You can do that in linux by bind mounting a folder to itself with the more secure options. I have a couple systems where I do this to have directories noexec, nosuid, etc. Kinda hackish but useful.

Have you never used more than one disk in a machine? Locked out of a machine because /var/log is full?

More the one disk -> LVM

And no, only /tmp has reached capacity for me when building large packages with Archs makepkg.