Proposal: Make bespoke Android firmwares designed to be difficult to remove, distribute them to infosec people, and challenge them to install the firmware then uninstall it again as a hacking challenge. You could call it an escape ROM
What would make it "difficult to remove" anyway? Wouldn't replacing the recovery with "vanilla" Recovery/TWRP and then flashing a new image, remove it?
You can have them lock the bootloader and then have the OS disable OEM unlocking so it can't be unlocked again without compromising the early boot chain or the OS. This is how Factory Reset Protection functions with the stock OS. It stores an account id that's needed on boot.
If you could simply unlock and flash another OS, then you could trivially bypass FRP. OEM unlocking toggle needs to be enabled in the OS before you can do that which is how this works. Most devices don't properly support locking + using verified boot for another OS but Pixels do.
's proposed CTF game with the stock Pixel OS. Log into an account in the OS, make sure OEM unlocking is disabled, factory reset the device and it's a fresh install with an account id in the frp data section on the Titan M secure element.