At the end it mentions a nonce based approach probably being the more sensible way. Shay Gueron presented at RWC 2024 about a nonce based approach (DNDK-GCM): https://www.youtube.com/watch?v=GsFO4ZQlYS8&list=PLeeS-3Ml-r... -- they mention Meta are using this as their default in their encryption library.

There is also an internet draft on it: https://datatracker.ietf.org/doc/draft-gueron-cfrg-dndkgcm/