This is how I do it. My root dataset is set to passphrase, and its unlocked on boot by reading the passphrase from an inserted USB drive. Inside this root dataset all other datasets are set to passphrase and are unlocked manually. I can also choose to auto-unlock any of the child datasets via the USB drive script if needed.
All that is needed to secure the datasets is to remove the USB drive. So when I need to ensure security I pull the USB drive and store it securely. Without the USB drive inserted, the datasets will never unlock on boot.