You need to make sure you are defining “deniable encryption”. It can be as simple as “noone can prove that a plaintext version of a file exists”, or it can probably be a lot more complicated (Stegnography is one complicated example).
Really, try and find the book I referenced above, it has some good real world explainations.
GDBE (and GELI) lives at a lower level on the device. You have a drive, you partition it. You pick a partition that you then “attach” GDBE to; that means anything done to that partition will be encrypted. After doing that attach to GDBE, you then create a filesystem on top of it.
Now you have a filesystem sitting on top of something that automatically encrypts. Think of this as a “scrambled phone”. You pick it up, you talk normally. Your phone encrypts your voice, the far end phone automatically decrypts it, the far end user hears clear text.
What does all that mean?
It means that you can create a separate filesystem on top of an encrypted partition for your user home directory and anything that is put into that filesystem will be encrypted when the disk is powered off. This is a key point a lot of people miss: while the computer is up and the device is mounted it is vulnerable. You have to power it off.
It means you can create partitions and filesystems and have the entire system encrypted.
On most systems, the directory “/tmp” is used for temporary data storage, like if you download and install a package, it may put some stuff there. The easiest way to protect it is to use a ramdisk for /tmp, so when the power is turned off, it’s cleared. Swap space is another thing that should be encrypted (TrueOS/Trident was doing that by default on the swap partition).
Encrypting computers is a non trivial exercise and you have to really think about what you want to do, what is your data worth, what is your life worth.
Making it overly complicated you can easily lose all access to everything that is encrypted.
Overly complicated makes it a pain in the butt to use and then you start writing things down which is an attack vector.
There is a lot of information available in the FreeBSD documentation about all this too.