I’m personally a fan of this method: Btrfs subvolumes with swap.
You only need two partitions, an EFI System Partition (that one has to remain unencrypted, it will contain your kernel and ntldr bootloader ie in
/boot/EFI/.. (the Windows bootloader will only be there if you dual boot with Windows).
The other one can be a single partition. You can use btrfs subvolumes to simulate partitions this means you can cut out using LVM altogether. Btrfs is a newer filesystem than the conventional EXT4, but it is stable enough for regular use (as long as you’re not using RAID5/6). You can even use a swap file on a partition.
This would be optimal for a system that has a a disk non-raided that you wish to install Linux on. The Ubuntu installer uses the LVM approach.
Now seeing as you asked about “most secure” way, i would consider also looking at the Secure Boot article, specifically the using your own keys. I’m a fan of the
sbctl for signing your own kernels etc.
I’ve been looking into using TPM as well, in order to prevent “evil made” attacks, that is where someone gets access to your computer and tampers with the kernel in some way. TPM can be used to do certain things such as taking measurements (verifying boot process). Some more about it here: https://mjg59.dreamwidth.org/48897.html