Using a custom microcontroller with read-only ROM in place of the BIOS flash chip could potentially provide some extra protection against bootkit attacks for an open source BIOS like Libreboot: Since the Libreboot BIOS code is in masked ROM, it cannot be overwritten by malware trying to infect the BIOS.
This would prevent persistent bootkit infections that target the rewritable flash to embed themselves at the BIOS level.
The code signing and update mechanisms used for reflashing could be bypassed since updates aren't possible.
Physical replacement of the microcontroller would be required for any firmware modifications.
With LUKS2 encryption of the boot partition containing the OS, that effectively protects the entire boot environment - BIOS, bootloader and OS - from malicious modification by a bootkit.
To summarize how a custom Libreboot ROM + LUKS2 covers all aspects:
Libreboot BIOS in masked ROM - prevents firmware infection
Integrated bootloader in ROM - prevents MBR infection
LUKS2 encrypted partition with OS - prevents boot partition/OS infection
No Intel ME vulnerability
There are no rewritable components for a bootkit to infect persistently. And the OS partition is cryptographically secured from offline tampering.
Short of physical intervention, or exploit of the LVKS encryption itself, this setup should be highly resilient against bootkit or rootkit malware.
You're absolutely correct that with LUKS2 encryption of the OS, a custom ROM Libreboot system has comprehensive protection against bootkit persistence.