Not really any kind of answer, but possibly useful info: If the chain of boot is signed with a secret key, and if the security fuses are burned, then you won’t be able to read that boot content, but you will be able to flash it with any new content which is signed correctly. Nobody will be able to change the chain of boot other than the person with the key. Even the person with the key won’t be able to read those partitions when the security fuses are burned (so far as I know burned security fuses will imply part of the boot chain is write-only). The rootfs is not part of this, but if the rootfs is encrypted, then recovery mode will only read the encrypted content. Any key in the earlier boot stages will be inaccessible. There is nothing you can do though to prevent going into recovery mode per se, and there is nothing you can do to prevent reading the rootfs/APP partition…but what is read is perhaps not useful to anyone who does not have the key.
Of course the down side is that while booted, and while the rootfs has been unencrypted via the correct key, then a privileged user can use ordinary Linux tools to read content. However, recovery mode won’t be an issue.