How to prevent an encrypted APFS volume from automatically mounting?

Indeed that is the case, even in Mojave (Beta 2).

I have a solution which is quite a hack, but it works. It consists in creating a login script that unmounts the disk using diskutil after a delay.

Create login script

Putting it in home folder for simplicity

nano ~/unmountDisk.sh

put the following in it (replace Macintosh\ HD with the disk name you want to unmount, if needed)

#!/bin/bash
sleep 20  # don't do it immediately, wait until it is mounted
diskutil unmount Macintosh\ HD

save (ctrl-x then y, enter). Then make executable

chmod a+x ~/unmountDisk.sh

Create launchd agent

nano ~/Library/LaunchAgents/my.username.unmountDisk.plist

put the following in it (note: replace username with your username, especially after /Users/)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>my.username.unmountDisk</string>
    <key>ProgramArguments</key>
    <array><string>/Users/username/unmountDisk.sh</string></array>
    <key>RunAtLoad</key>
    <true/>
</dict>
</plist>

Finally, enable it

launchctl load ~/Library/LaunchAgents/my.username.unmountDisk.plist

This should get the disk auto-unmounted shortly after login. If it doesn't work, maybe increase the delay (it was 20 seconds in the example). You can check if it works by opening Finder immediately after logging in; you should see the disk unmounting itself after a few seconds.

Make disk-read only

I also noticed that fstab can make the disk read only (could be done as well, for safety).

sudo vifs

then press G o and paste

LABEL=Macintosh\040HD none apfs ro