According to bushing (https://hackmii.com/2009/08/of-tmds-and-hardware/), "unofficial uses" of Wii's AHBPROT were only discovered after the DSi launched (was it in March 2009 iirc?)
DSi TMDs also have an "access control" option (http://problemkaputt.de/gbatek.htm#dsisdmmcdsiwareticketsandtitlemetadata) and the home launcher definitely has SCFG unlocked since it must set it correctly for the title to be launched (exactly like on Wii), so it's realistically possible for a custom title to be created with all hardware enabled!
At least unlocking slot1+SD+NAND all at once is possible - the rom of TwlNMenu needs that
Of course there's the issue of actually getting said custom title on the console, but it looks like - haven't tried personally yet - hardmod has gotten there, see the end of the TWLTool topic...!!
You're right, controlling the SCFG field in the TMD to ensure it's never locked is how custom DSi-mode software like NTR Launcher or nds-bootstarap is able to mess around with the SCFG registers.
Assuming you're able to install and run a custom title from the home launcher, you'd have those same capabilities. The problem is gaining code execution by the time the home launcher loads. Once you load any title (assuming it has the SCFG lock setting enabled), the SCFG register locks and can't be unlocked until the console reboots. Any code execution you obtain afterwards won't be capable of messing with the SCFG registers.
That TWLTool topic looked interesting but I'm not sure if it opens the possibility for custom TMDs (enabling SCFG hax) or just custom Tickets (Piracy for legit content only)