>at the very least it would have been nice to see it use iPXE's `imgtrust` and `imgverify` functionality
I'm not familiar with these but I saw a commit from just a couple of hours ago referencing "image trust" [1], so maybe it's in the works now following your comment?