Ah 
Indeed it is. Sorry, I had this assumption that /boot is unencrypted, while in fact it’s only /boot/efi that’s unencrypted. Now everything checks out.
Not sure why GRUB needs to have the keyfile in order to not ask for the passphrase twice, as systemd-boot does away without keyfile and asks for the passphrase only once, but that’s besides this topic.
Thank you for your explanation! 