Defogging: FOG does modify iPXE binaries by adding a boot script embedded into iPXE. That script is here: https://github.com/FOGProject/fogproject/blob/master/src/ipxe/src/ipxescript Its used to chain to default.ipxe on the tftp server. If you look in that script on the fog server that is how it gets to boot.php. With iPXE boot loader you can transfer files over tftp, http(s), nfs with the way FOG has it compiled. FOG uses the http protocol to load FOS Linux because http is faster than tftp and is routable across subnets. But you don’t need http or apache to boot your only custom linux, tftp will work just fine. You could use the rom-o-matic site to build your custom iPXE binaries and not even need to setup that build environment for iPXE https://rom-o-matic.eu/ Just understand that you can use the FOG iPXE binaries too, you just need to add your iPXE code to default.ipxe in the tftpboot directory of your tftp server. Its just one less thing to mess with.
Security: One of the advantages of the buildroot approach is that since your OS will run out of memory its a bit stateless. If the running environment becomes compromised, when you stop the system or reboot the compromise will not be saved since everything runs out of RAM there is no persistence. Plus since the initrd is packed you can’t simply drop a file in its boot media. The bad guy would have to unpack the inits, make the modification and then repack the inits. While its not hard to do, its not easy either.
Anyway, it sounds like you have a fun and challenging project. I wish you the best.