following out of interest ( I do not currently have Connect) .. but I thought one of the big sell points of connect is the accounts would then be local, hence having a security token. I guess if one of these accounts did not get a security token that probably would have put me full stop till that issue was resolved.

Another sys admin (that  knows nothing about apple devices) kind of referred me to this leaching of the local admin security token method while I was trying to argue for the purchase of Connect, and tested showed every password change has the potential to cause serious issues with this approach (that was really intended for parents to be able to be to control encryption on kids accounts) 

So i figured out that the user was not explaning this correctly, jumped on a zoom and confirmed it is the FV unlock screen at reboot. This is normal once FV2 is enabled on machines. 

Jamf Connect is a very good product in my opinion for keeping account password in sync locally and through your directory. I dont agree completely with every password being a possible issue, you just need to make sure that you have jamf connect sync setup correctly in the config profile. I can say that managing passwords without Jamf Connect was not fun especially with AD binded macs

The SecureToken issue is ultimately caused because a boostrap token isn't found for the machine, I think its an apple issue at that point and not Jamf