Correct way to 'dd' an entire APFS disk

Neither is actually correct.

The problem has nothing at all to do with APFS. As the linked answer describes, it has to do with the location of the partitioning tables.

If your source and destination drives have the same sector sizes, you can just copy using ordinary dd without any special parameters.

If they do not have the same sector size (as in the linked example with an old traditional hard drive and a newer flash-based drive), the partitioning table needs to moved.

Essentially the computer will try to read the GPT partitioning table at the location of the second sector. For some drives that will be at byte 512 on the drive, for others it will be at byte 4096 on the drive.

The dd command you suggest with two different block sizes won’t here. It means that dd will read in data in blocks of 4096 bytes, and write them out in blocks of 512 bytes - thus performing 4 writes for each read. However that still places all the data as the exact same byte indices on the target drive as they had on the source drive.

For your purpose you need to move the data that was previously at index 4096 to be at index 512.

Regarding your other questions:

Yes, encrypted partitions can be cloned with dd.

For this type of work you want to use rdisk instead of disk. The r means “raw” meaning that you’re bypassing the disk cache. You’ll end up with the same result, but it will go quicker that way.