OK, so, am I correct in this?
Install 6.0.1 via HoN, including TWRP (since I want it and will not be taking OTAs) and then boot into TWRP and install SuperSU 2.67 ,then reboot into system and my device should not be encrypted?
And if I reboot into system first, then the encryption is on, which means no one can get to my files unless they log into the system itself, correct?
Finally, systemless root does not block Android Pay, does it
Also, another thought - how do I now enable the HotSpot feature if I cannot modify system files?