Can't bit flip errors also destroy encrypted volumes much more easily?

I think it depends. Encrypted filesystems typically encrypt contents of each file separately - that way you don't need to read / write the whole disk to read it write any individual file contents. Of course that means metadata may be in plain text or may be separately encrypted - again possibly folder by folder instead of all metadata at once. Exact details would vary with different file system encryption schemes.

Whereas if you image the disk and encrypt the image properly, that gives you all the great confidentially guarantees but no random access.

> Encrypted filesystems typically encrypt contents of each file separately - that way you don't need to read / write the whole disk to read it write any individual file contents.

Ah, that's not true of "full disk encryption". It usually encrypts the disk blocks.

File-based encryption is stronger; you can use different protection classes on different files, you can use authenticated encryption, etc. iOS does it this way and I assume other systems have caught up, but don't know any in particular.

File-based encryption leaks metadata (which in some cases is bad enough to render it unusable).

No one said you had to leave the FS itself unencrypted.

Most FDE systems are not authenticated so you would only lose one block (16 bytes for AES). Can this be bad? Yeah, but it's not that bad for data recovery.

Not to mention that most drives start having issues with dead sectors rather than bitflips, and that's (usually) 4K.

A single bit flip would mess up the block, and hopefully the rest of the stream and the padding, no?

Most unauthenticated encryption modes only mess up a few bits of a block, sometimes the following block too. A few only flip the exact bit in the plaintext.