I don't think you should worry about it.
What we are playing with is not an actual ROM at all.
I never get myself in-depth with Android but it should be in the same manner everywhere.
1) The actual ROM (even before something you called bootloader) hard-coded to the hardware (power-on?)
2) ROM, in case of manufacturer don't want you to play much with it; those are Kernel, Bootloader,Radio,Baseband,Blah blah blah la la la, which you need a flasher to play with. I don't think you have already flash 10,000 time of this stuff.
>> It's usually locked by allowing only 'signed' image file to flash. That should be about our cracking bootloader.
3) Internal memory, imagine this one as another internal SD Card, it is easier to understand. All the android,cache,data,sys, blah blah blah goes here. That's why you can have xRecovery doing a custom OS (NOT ROM!) And I think it's just a normal filesystem copy, not a flashing at all.
>> It's locked by ROOT.
Correct me if I'm wrong, it's general method which could be customized anyway.