Arguably, all binaries comprising the OS and installed apps should be individually signed to ensure they're never modified, even by a malicious user who can access the encrypted disk.
Whole disk encryption guarantees nothing more than your disk is encrypted. On pure single-user systems that are never accessible by other users, that might be fine. The second you allow more that one user, remote or local, to access the disk, you may as well treat the disk as unencrypted. At that point, you need to rely on per-user data encryption and OS and app signature validation to prevent malicious attacks.
Whole disk encryption guarantees nothing more than your disk is encrypted. On pure single-user systems that are never accessible by other users, that might be fine. The second you allow more that one user, remote or local, to access the disk, you may as well treat the disk as unencrypted. At that point, you need to rely on per-user data encryption and OS and app signature validation to prevent malicious attacks.