Short answer: noAnswering myself: No. System avb flags create a chain system signing so that system could be updated independently, but with a key that is known to vbmeta partition. So, if user modifyes system, that prlbably would not work. I am looking for a way to let users flash Gapps without trigerring rejection.
Longer answer: kinda... but it would break the security model and make relocking the bootloader pointless.
Basically, yes you might be able to create an empty vbmeta and relock the bootloader, but then any changes to any of the partitions would be valid. So if malware exploited a hole that allowed it to write to system (or vendor or any other partition), any changes would be kept through a reboot or even a system reset.
As for adding GAPPS "afterwards", you could then create your own build of GAPPS and sign it with the same key as you signed your build and allow users to flash it as part of install. Or simply create two separate distros of your ROM, one without GAPPS and one with, as you can certainly build GAPPS into a build.