The people who have the skills to find vulnerabilities in the Switch's firmware (SciresM, Hexkyz, etc) have all said that there is nothing left. The only option for hacking new Switches is the modchips. If we want soft modded Switches in the future either Nintendo have to massively mess up and introduce several new vulnerabilities in different parts of the firmware without realizing, or the recovery software that is officially signed by Nintendo needs to leak and someone has to find bugs in that. Alternatively you can wait a few decades until computers are fast enough to brute force the Switch's firmware signing keys, although this isn't really exploiting anything other than technological advancement.
Edit: Also remember that there are ZERO known boot time exploits for the Switch and people have been looking for years. They're theoretically possible before 3.0.0 but no one has found any and after 3.0.0 they're supposedly impossible. The fact that every software exploit requires some form of user interaction to get it going says a lot about the strength of Nintendo's security.
Edit 2: I guess technically pkg1ldr hax exists before firmware 6.2.0 but it requires brute forcing something to be able to use it and with the amount of computational power needed to brute force it you may as well brute force the signing keys, you aren't going to get either with today's processing power.