I'm curious as to how many people use FileVault and if it's really necessary on Macs with SSDs, T2 chips and auto-login disabled. I guess my question is, if you are set up to always require a password for login and you don't have a platter HDD that could be removed if stolen and accessed, is FileVault really necessary? I do encrypt my Time Machine backups on external drives and clearly understand the reason for doing so. But with the T2 chip, if someone stole the Mac and removed the SSD, could they get data from it? This may be a trivial question for the experts here, but I appreciate anyone's thoughts.
FileVault 2 being "necessary" is subjective. If you're in a business, it's probably necessary for the exact same reasons that BitLocker or some other Windows full-disk-encryption software package is. If it's just you and you don't have any sensitive information on your Mac, then it's a matter of personal preference.
To answer your question "if someone was able to remove the SSD on a T2 Mac, would they be able to get at the data?", the short answer is no.
The SSDs are integrated (read: soldered) onto the main logic board on MacBook Pros, MacBook Airs, and Mac minis introduced from 2018 onward, so that's not even physically possible. They're technically completely removable on the Mac Pro and iMac Pro, and partially removable on 4TB and 8TB 2020 27" iMacs (in that part of the drive is on the logic board and part of it is in a 2-4TB expansion module). The T2 is the SSD controller on all T2 Macs, and the T2 is paired with the storage at the factory. If you remove the storage modules from the logic board of the T2 Mac it was initially paired with, the data is effectively lost.
As was stated above, you can still use Target Disk Mode on a Mac to get files off without having to enter any kind of password. Yes, your data is always encrypted on a T2 Mac, but you have no protection mechanism in place to block Target Disk Mode from making your T2 Mac still accessible to another Mac.
Turning on FileVault 2 on a T2 Mac doesn't encrypt your drive. The drive is already encrypted by default (and there's no off switch). All it does is associate (and enforce) the protection of having to enter either a key or a username and password when accessing the drive via something like Target Disk Mode. You can functionally enable the same protection to your drive by setting a firmware password. In a business setting, FileVault 2 is much more preferred as you can escrow EVERY FileVault 2 key to a centralized database using an institutional FileVault 2 key. Plus it removes the need of changing EVERY Mac's FIRMWARE PASSWORD when a high-level IT employee leaves the company.
I'm not the biggest on FileVault 2, personally. I think it's clunky and there are inherent quirks that can make diagnosing a Mac with issues all the harder to deal with when enabled. But, certainly, on a T2 Mac, it's made to be so quick and easy you don't need to really think about it. Turning it on and off is instantaneous and ultimately doesn't have the kinds of ramifications you might have on a non-T2 Mac.
I don’t think having it on will hurt performance in any way. It’s another layer of security and like I said, it doesn’t hurt to have it on.
On a T2 Mac, it doesn't impact performance at all. Turning on FileVault 2 on a T2 Mac just associates FileVault with the existing hardware encryption.
Whereas, on a pre-T2 Mac, enabling FileVault 2 requires actually encrypting the drive and will definitely entail slower drive performance. Albeit, the difference in performance won't be noticeable on an SSD safe for super disk intensive workflows. Casual users ought to not notice a difference in performance at all.
