Author here; #3 also defies the use-case for a duress word. The attacker is supposed to be presented with what appears to be a normal login scenario while in the background sensitive data is being scrubbed or even have the routines remove the pam-duress module completely so there's no evidence there was a duress routine in place.

Real law enforcement agencies would also simply confiscate the device and hand it to a forensic team to pull a "golden image" from it to work with in lieu of a user session.