I'd like to create a new user via policy that is enabled for FileVault 2/has SecureToken. As noted in the Local Accounts payload, the "Enable user for FileVault 2" no longer works in anything beyond 10.13. After doing some digging, the only solution I have come across to do this is using sysadminctl to grant SecureToken to the account after creation. This is something I'd like to avoid if possible since it requires passing not only the credentials for a SecureToken-enabled admin through a script, but also the credentials for the account to be enabled.
Are there any secure methods to achieve this?