Basically my original idea is starting to look doable now.
I have now played around a bit with encfs, and found out some things about it;

Unlike encfs implementation I have used on desktop linux, I did not find out a way of starting encfs as non-root user. It makes no difference whether I chmod the /dev/fuse as a+rwx, still trying to create or mount the encfs bombs out with "fuse: failed to open /dev/fuse: Permission denied"

Well, fortunately it does not matter much, as I can create and mount the fs as root with --public flag, and it is available to other users after that as well.

I tried copying the encrypted content to my ubuntu box and successifully opened the content there with the correct passphrase. That is as well as it should be, so protected access to the device in usb-memory mode is possible.

Next I looked into the device booting scripts. I have nitdroid dual-boot active on my device, so it was easy to find out the place in /sbin/preinit script where the multiboot section begins.
The correct place to mount the encrypted home would be just before the android/meego boot selection.

Now, next thing to do is to write up a simple input panel that can be called from the preinit script to query for passphrase.
When I get that part working correctly, meaning I can input the passphrase and see that decrypting is activated, I will try to move all stuff in /user/home inside the encfs mount.