I think you're confused a bit about my being confused a bit.
Of course you didn't write to the env partition directly using usbdl code or scripts.
But if it were not for the the entry vector the usbdl exploit gave you, you couldn't have done all of the other stuff described in the second paragraph above.
So, what was cut off by the pw mitigation was that entry vector.
Another entry vector is physically writing to the emmc externally.
Yes, you and fred disabled the arb feature in bl2. But suppose the lock value was already 10000000, would that only prevent an older version of the bootloader from being flashed, it wouldn't also effectively disable arb?
View attachment 5738351
If the lock variable can't disable arb, but only prevents an older bootloader from being flashed, then you're correct.
But if the current bootloader otherwise observes the lock variable, writing a good env partition (w/ valid crc) should unlock the bootloader.
I don't really think it would work. I think the newest bootloader would revert any changes to the lock variable back to a locked value.