The T2 in a portable stays on even when the Intel CPU and macOS are shutdown, so "persistence" is pretty easy (the T2 can go very very low power).

Once you own the T2 you can just disable secure boot and modify macOS anyway (like injecting EFI apps/drivers into the EFI System Partition).

Apple has similar "magic DFU commands" for lightning, so for the iPhone X and prior this can be done via a magic cable as well... (look into the Bonobo cable)

rickmark here: Sorry no, that's inaccurate. The T2 provides MacEFI.im4 to the Intel processor by emulating a flash controller over eSPI. So by modifying this file, and removing signature checks you can run any payload you like (see the EFI replacement video)

So there is some kind of signature defeat involved, correct?

Yes, sigchecks had to be patched out of the kernel. And yes, it does not persist T2 reboot, but T2 only reboots if you hold power button for 5 sec. MacOS "reboot" does _not_ reboot T2.

The full timeline + previous coverage is here: https://blog.t8012.dev/on-bridgeos-t2-research/