It would be possible, though very difficult, to turn the OS into a staging bootloader, and load another OS bare-metal from there. Still insanely difficult though.
Usually, once you can run code in kernel mode it’s just a matter of bringing the hardware back to a sane state.
Unfortunately, “just” running code in kernel mode is incredibly hard on the iPad. There’s e.g. a hardware mitigation that turns a memory region to read-only and also only allows kernel code to run from this region. This mitigation is locked down and cannot be disabled once XNU is running on the iPad (http://siguza.github.io/KTRR/).
Unfortunately, “just” running code in kernel mode is incredibly hard on the iPad. There’s e.g. a hardware mitigation that turns a memory region to read-only and also only allows kernel code to run from this region. This mitigation is locked down and cannot be disabled once XNU is running on the iPad (http://siguza.github.io/KTRR/).
On top of that page tables are also protected by a “kernel within the kernel” (https://blog.svenpeter.dev/posts/m1_sprr_gxf)
Getting past all that is going to be very hard if not impossible.