so where is the latest key stored so that after a system has rebooted you can validate that the entire file hasn't been replaced by one from another system?
If it's not stored somewhere off the system, then it can be replaced along with the file and you are no better off than the simple hashing that logtools does. If you can send the key off the system, you can send the logtools hash off the system.
If it's stored on the same filesystem as the 'sealed' file, then it can be replaced, along with the file it's protecting.
The only case I am seeing where this helps you is if the system has not been restarted and so you can query systemd to find out what it thinks the current key is to validate that it matches the file.
If you don't send the key off the box, I don't see why this is any better than the initial systemd hashing. both will detect if a file has been edited after the fact, but neither will detect if a file has been forged in it's entirety.