[yehaaa]

Why is it not possible to disable SIP, make the desired changes, compute a new seal, then enable SIP again?

[Wowfunhappy]

I kind of bailed on macOS prior to Big Sur, so I'm not sure—but I think you can do that. Authenticated-root would need to be kept turned off, but that's a separate thing.

You're going to have to redo everything after every update, however.

[xgbi]

Because if you can do it, any rootkit will be able to do it too.

[Wowfunhappy]

No it can't. You'd have to disable SIP temporarily in the first place, and a rootkit can't boot a recovery environment while SIP is engaged.

And then on Apple Silicon Macs, entering 1TR is tied to the physical action of holding down the power button.

[yehaaa]

But you disable SIP while booted in recover mode. Somehow Apple needs to do this anytime the system is updated.