I think the best approach would be to enroll the device in a MDM solution such as jamf. You can use this to apply very granular restrictions to what apps or websites can be used, and if you set a complex passphrase then you can’t just log in and reduce the restrictions.
I started down this path, but unfortunately I’d already been using the device and it was tricky to migrate data like photos/contacts onto the restricted device.
I started down this path, but unfortunately I’d already been using the device and it was tricky to migrate data like photos/contacts onto the restricted device.