about the 3rd, is the end apk file downloaded by a useer on the playstore reproducible? could google add stuff to the apk before the user downloading it? do users ever bother checking if the apk hash matches the one from the reproducible build?
it is quite unfortunate that only x86 UEFI vendors have an option (and only because it is part of the specification to have) to add your own secure boot keys, it allows for user freedom without compromising with the potential security benefit that secure boot can provide
do you mean cryptographic keys? or metaphoric keys? becausd they dont need to give any cryptographics keys at all, just look how it is done on x86, you can just add your own keys and most boards let you disable the builtin ones
there is python, PyQt6 is crossplatform, runs anywhere, the biggest dependencies python and qt are often also used other things so likely to be installed already
you should see the electric wiring in my house girl, one breaker 2 eletric showers, one fridge, one microwave and a wooden roof!