Use MQTT for all interop, and allow config to be changed via captive on-device portal. Put OTA keys in escrow if you insist on restricting firmware updates, so keys can get freed if SHTF.
I was actually thinking about MQTT after I posted this.
I'm leaning towards just allowing the mqtt server you connect to to be changed, so that you can point it at whatever in the future, and all messages are plain text and documented.
I'm leaning towards just allowing the mqtt server you connect to to be changed, so that you can point it at whatever in the future, and all messages are plain text and documented.