With regard to all the 'successful' Rigol hacking, rigol wanted it to be hacked to increase sales.
I'm not sure if they wanted it hacked, I think it is more like what Microsoft did with the first xbox - they wanted a quick solution and they didn't have anyone experienced implementing it.
On most modern stuff the best way would be to patch the firmware itself - assuming they haven't added too much security that verifies the firmware integrity.
I don't think too many people have a unit or two they want to sacrifice to see whats possible.
With the 3446xA, I don't think you would risk sacrificing it completely. The bootloader doesn't have ethernet abilities like some of Keysight's oscilloscopes, but you can dump the flash contents over a serial interface - this doesn't take as long as you might imagine as the bootloader can crc blocks of data, so you can use this to reduce the amount of data that has to be transferred. This means you should always be able to restore the flash to a known state. However, it is possible that you could corrupt the multimeter's identity with a bad firmware - I believe it is stored in flash, but it is also stored in an eeprom next to the fpga (although its connected to the cortex m3, on the opposite side of the board, rather than the fpga). But you can always dump the eeprom, or spy on its communications, so that you have almost no chance of destroying its data.
The 344x6A also uses two bootloaders and has two firmware images - if the second bootloader detects that the first firmware image is corrupted, it will use the second image, which is very basic (no UI, just a plain white screen - I have a picture of it, if anyone cares) and only allows new firmware to be sent to the multimeter (to fix the corrupted image stored in flash).