Within the standard LUKS framework a MasterKey is used to encrypt the ‘bulk data contents’ of the USB drive. The LUKS MasterKey is never explosed to the user and only available to the LUKS encrypt/decrypt ‘engine’ when a valid passphrase is presented to it. LUKS supports multiple passphrase / keyslots, allowing multiple users to decrypt content, assuming they present a valid password.
Zymkey integrates with this LUKS framework by generating a unique passphrase (uniqueKEY), just as a user would. Such a uniqueKEY is, as you correctly say, unique to a specific (Pi+ Zymkey + SDcard) binding, therefore cannot be moved from system to system.
The advantage of this approach is that the ‘bulk data contents’ can be pre-encrypted with a common LUKS Masterkey (that is never exposed). Depending upon the size of your file system, this could save considerable time in that the ‘bulk data contents’ only need to encrypted once, in a secure manufacturing facility of your choice. The disadvantage of this approach is that the LUKS Masterkey is common across a fleet of devices, and IF exposed (through concerted effort, time and money) would provide access to a fleet of devices. If that represents a practical security risk to your application (a high threshold in our opinion), then you would have to encrypt each instance seperately and uniquely with a unique LUKS Masterkey.
Ultimately, as in all security matters, its a question of assessing the risk/loss and deciding how much time and effort to spend on building security layers. In this particular situation, you might consider using a common LUKS Masterkey across 10% of your devices, so ten unique LUKS Masterkeys would cover 100% of your fleet of devices.
Hopefully this provides more clarity. Let us know if you need more explanation.