It could be done, then I need to rewrite chrootpwd with plain c and integrating to rescueOS, but I am to lazy for that. Or figure out how to run a binary as su without sudo or rootsh and not knowing the password.

Thank you endsormeans I learn from you many unknown english terms. Sometimes it is hard to understand and I need to read more than once. Lol when google "El Cid"
The biggest harm to the device is when somebody else have it in his own hands. My work doesn't harm myself because I think it is already known.
Also removing the usb port doesn't give you protection, you still can install rootsh or sudo to change the root password.
Don't give the device away or do not loose it. Protect sensible data with truecrypt.