I can imagine getting everything so locked up that it's impossible to get persistent-root may require more engineering power than is wise to spend on Rigols side.
Sure, my point was only that it's a lot less difficult to require people to at least open up the case and solder wires to the board if they want to hack it, thus voiding the warranty (or at least creating fear of loss of warranty, depending on local laws).
Checking the digital signature of an update file before installing it isn't difficult. Disabling the command shell access on the Ethernet port isn't difficult either.
Just those two things would
reduce hacking by a significant amount.
(and increase Siglent sales proportionally)
nb. I didn't say "prevent" hacking.