Delete a host
Update a product key
Approve a host (which can lead to an AD credential leak)
IMO these functions should be removed from the FOG iPXE menu completely (password or not). These processes should be restricted to the FOG UI. Simply for the fact you stated that changes to the FOG environment could be done in a malicious and anonymous way with this code hanging around.
In regards to the other method using the ubuntu/debian kernel (I believe that is what clonezilla live does) the issue is with the drivers. Most of those general purpose kernels use dynamically loaded drivers. That would work for FOG, but then the drivers would need to be loaded into the init.xz (VHD). Both methods are possible. I was testing a few years ago with just this solution of using grub and the shim to secure boot and it did work at the time. But the project fell out of focus and then when I got back to it it was failing. The issue I ran into with Grub is that its not dynamic enough for FOG. You can do static pxe booting, but the issues came at the deploy image menu to get that bit to work.