Using the new firmware features described in go/cros-fwmp (pron: fwump, I think) it should be possible to do this:

1. Switch to developer mode.
2. Install your own build on the internal SSD, or make it available on a USB stick.
3. Set things up so that the new build is verified at boot (and later) against the user key pair, just like the Google-signed image in verified mode.

Returning to unverified developer mode should only be possible with physical presence, by first recovering to verified mode with a Google-signed recovery image.

This would give developer mode a similar level of security as verified mode, although without the convenience (ease of update).

Per discussion with RS (in cc: list), this can be added as a script to the official image, and may require simple modifications to the recovery image.