Root on GELI+ZFS without a separate boot pool?

[Mel Pilgrim]

Threads on others lists mentioned that with 12-R it's no longer 
necessary to have a separate boot pool when using a GELI-encrypted root 
ZFS pool.  The documentation I can find only shows the simple case of 
using a passphrase without a boot pool, or the "legacy" configuration of 
using keyfiles with a separate boot pool.

The use case is data privacy on a failed disk sent back to the OEM under 
RMA combined with unattended restarts.  Prompting for a passphrase can't 
happen.  The means to decrypt the GELI volumes must never be stored on 
the disk with the encrypted partitions.

It seems like it would work if the loader could access a separate 
filesystem containing just the keys, but nothing in the documentation 
suggests how to do this.  That is, the configuration for using GELI keys 
assumes the keys are on the same filesytem as the loader.

How do I get rid of having a separate /boot pool in my use case?