it's not actually mandated. just, when enabled, gkd will `mlock` its secrets into memory. but i don't use swap anyway. plus, i'll enable that momentarily anyway (though systemd will probably not understand the capablity)
PAM integration is only required if the keyring is encrypted on-disk