I think the current boot feature will disallow arbitrary EFI booting. And most mobile device manufacturers do not allow bootloader unlocking for consumers. That being said, there is no guarantee that a determined child will be prevented from apt install git build-essentials and cloning Chromium source code and compile a modified version of Chromium; or from using ncurses and libcurl to hand-make their own tiny browser; or from receiving a premade browser using nc -l 8080 > www.AppImage. As long as the exposed functionalities are Turing-complete and any tiny networking is possible, a determine child will eventually make it happen.
Much as I respect and appreciate these efforts in maintaining compatible alternatives to canonical Mac OS X and Mac OS XI, in modern days I would prefer to run Mac OS X/XI applications in my GNU/Linux system over some compatibility layer (FoundationLibc, CorePulse, PicQuartz, Melkan, etc), because, in the years after leaving Mac OS X, I have establish new workflows which are mainly GNU-based.
I still want GarageBand and perhaps Processing / Glyph, but I prefer embedding those Mac OS X/XI apps in my GNU workflows. Rebooting to another OS wastes time and virtualization has performance penalty; neither is fun.
