Encrypted /boot: why don't I have to enter my password (at least) twice? (Manjaro/Arch)

I recently set up Manjaro and noticed that my boot partition seems to be encrypted, neat! I got curious and read a lot about the details of the Linux boot process, however I can't make sense of one fact: I only have to enter my disk encryption password once. To my understanding, every stage of the boot process that needs access to encrypted files needs access to the passphrase. In my case at least two boot phases need access to encrypted files: GRUB (to load the initramfs and the kernel from /boot), and the kernel itself. Since I only have to enter my password once, the kernel must have a different way to access the passphrase. My search yielded [various](https://wiki.archlinux.org/title/Dm-crypt/Encrypting_an_entire_system#Avoiding_having_to_enter_the_passphrase_twice) [posts](https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html#avoiding-the-extra-password-prompt) detailing how to add a keyfile to the initramfs in order to avoid the second prompt for the disk passphrase. That makes a lot of sense, however looking at my initramfs using cpio -t < /boot/initramfs-6.5-x86_64.img, it doesn't seem any keyfile is included in the initramfs, nor any other information that would help with the decryption (all files are located in usr/lib/modules and end in .ko.zst). My search then lead me to the [Linux x86 boot protocol](https://www.kernel.org/doc/html/latest/arch/x86/boot.html) . Again, I didn't find any trace of a standardized way for GRUB to pass the passphrase to the kernel. There is no direct field for a LUKS keys, I also didn't find any hint of GRUB using struct setup_data for that. The cmdline doesn't seem to contain decryption info either (luckily, since it's user-readable). I've also read (don't remember the source) about GRUB passing the "decrypted device" to the kernel via the root= cmdline, however that sounds weird to me; the concept of a "decrypted device" is only an abstraction, in reality the device is not decrypted; the key is simply held in memory to be able to decrypt what's needed on-the-fly, right? And that's where I am right now. The LUKS key seems to neither be included in the initramfs nor passed to the kernel by GRUB, so how does the kernel boot without asking for the passphrase a second time?