Just full disk encryption does not solve the problem fundamentally. Malicious user with physical access could just install keylogger into bootloader which would log the password on the next boot.
To protect from that threat you need secure boot which verifies checksums from BIOS to kernel.
Full disk encryption alone suffices against device theft, presuming the device is turned off. More complicated threat models like an evil-maid attack are much harder to defend against.
Secure boot, and temper-evident device seals, form the outline of a solution. As far as I know though, these are still far from foolproof. Really I would say defending from an evil maid attack is still an open problem.
Something very similar holds for theft of devices that are still on.
To protect from that threat you need secure boot which verifies checksums from BIOS to kernel.