Well if there were some vulnerability early enough in the boot process in theory we could bypass the efuse check if I'm not mistaken. That's IF a vulnerability is there.
Need more than just the dumped bootrom for that.
Remember, bootrom for the Tegra is only a piece of the puzzle (hell, I can get that off my Jetson board, its the same thing/chip), most of the steps are root-key locked with the encryption behind the TrustZone. So we need to find a way to make something for the bootrom that the bootrom will accept as a real command to bypass the eFuse check but that means we have to trick its encrypted security checks/handshakes. This would be the equivalent of sighax, you'd need the equivalent of the ARM9 full access. But unlike the 3DS/WiiU, the Switch also has oodles of console unique certifications and their encryptions are also tucked away in TZ, and are burned in at the factory level. So, in effect, we need to completely compromise the bootloader, and you still have a unique Switch so it can still be permanently blacklisted and have no server access.
So... yes? Actually now that I wrote that out it seems you said much the same thing.
(Much as I can get the bootrom from a Jetson board, I cannot magically get a Switch running on the Jetson because I don't have any of the unique signage. In a lot of ways this is an educational dump that could inform but its not really guaranteed or maybe even likely to give us anything.)
Also this isn't Nintendo's bootrom, this is nVidia's. Start poking too far and publishing too much and I think you may have a very pissed, very aggressive company on your door. nVidia is more along the lines of Sony's draconian methods than Nintendo's '/shrug' methods.
That said, I am sure a large enough hole will be found. When it will be released is another matter.
