Windows can’t be updated in any meaningful way without being rebooted because Windows can’t overwrite a file that is in use. This makes it fairly unlikely for a machine to be up for 12 years.

Windows 7 also doesn’t “idle in the low MBs” It uses almost 1G at least at startup more if you have apps that auto start and like every OS it caches recently accessed files.

Typically an actual key is effectively just a very long pseaudorandom binary blob and the passphrase is just used to unlock the actual key. This means you can add a new key just by encrypting the actual key with the new passphrase

Setting up encryption has previously been an affirmative step wherein the user opted into being unable to access their data if they lose their password. Because of this users have the opportunity to back up their recovery key you know after they even learn what one is.

Having it happen on upgrade to an existing machine is inherently confusing and its easy to see how it could lead to data loss.

For most folks they could just write down their encryption passphrase in a secure location with the rest of their papers since 99.9% of the risk is thieves stealing their laptops. For most folks the biggest secure item they have is the one they use constantly their browser and all the passwords it stores to all their services. You know the thing they use constantly.

A compartmentalized approach makes sense when the laptop contains really vulnerable data like laptops which have been stolen with bunches of client data on it or a journalists communication with confidential sources etc etc. In that case you STILL want to encrypt the whole thing but you want to separately encrypt the really important stuff with a different key so that every time you open your laptop to watch cat videos on youtube you aren’t also unlocking all the data you will have to tell your companies users you lost.