So do a temp root, copy to /mnt/storage, and then a adb pull gets it over.
The squashfs itself is offset by 256 bytes, so:
losetup -o 256 /dev/loop0 ./androidmerged.squashfs.secure
At this point, the FS can be mounted or unsquashfs can be used to extract it.
So, what's the first 256 bytes? The secure implies some type of signature, but what kind, and what else is in all those bytes?
I'm not feeling brave enough to try just grabbing the first 256 bytes and appending a modified squashfs image to it on my device just yet, but if others try please report back. (On both if it works, and if not what it takes to recover the unit.)