Now I'm not saying these folks are idiots, more likely just unfortunate mistakes. I myself am prone to the occasional derp.
That got me thinking about how to protect an s-off device from an accidental 'fastboot oem writesecureflag 3' that would leave me crying.
Basically, 4 things:
1. Find an RUU and tuck it away. For me, with an AT&T One, its 1.29.1540.16 from htc1guru. Why this RUU? Well it has a very old hboot 1.44.0000 (pre June, 2013) that is easy to s-off with revone, and can be unlocked via HTC Dev. Also, they are very easy to come by on sites like HTC Dev, htc1guru, etc.
2. Change CID to match what the RUU expects:
fastboot oem writecid BS_US001
3. Make sure MID matches what the RUU expects as well: PN0712000 (which matches my AT&T device already.) If not then change it to match with the eng hboot (I won't go into that here, but if you've changed it once already then you're familiar with the process.)
4. Lastly, and most important: flash the hboot and change the firmware main version so that it matches what the 'rescue RUU' is expecting. For me, that's hboot 1.44.000 and 1.29.1540.16 so I created the attached 'firmware_reset_1.29.1540.16.zip' that can be flashed via:
fastboot oem rebootRUU fastboot flash zip firmware_reset_1.29.1540.16.zip
This last step is important because with s-on you cannot RUU a downgrade hboot or mainver, so having hboot 1.44.0000 and mainver 1.29.1540.16 will allow the 'rescue RUU' to do it's thing.
So now we're all set. If things go south at some point and I need to get back to a known good, I can flash the RUU exe (even if s-on and locked), then unlock via HTC Dev, flash a custom recovery, root, and go.