[xgbi]

Because if you can do it, any rootkit will be able to do it too.

[Wowfunhappy]

No it can't. You'd have to disable SIP temporarily in the first place, and a rootkit can't boot a recovery environment while SIP is engaged.

And then on Apple Silicon Macs, entering 1TR is tied to the physical action of holding down the power button.

[yehaaa]

But you disable SIP while booted in recover mode. Somehow Apple needs to do this anytime the system is updated.