With physical access, one could at least theoretically backdoor the boot partition and then "rootkit" ("bootkit"?) the rest of the machine.

Sure, but a reboot would be obvious, and writing to a partition while the OS has it mounted seems like it could go quite poorly...

It's actually not all that uncommon for well-written rootkits to do just that.

Cool, I learned something. I guess the boot partition is likely to be inactive, and with a ffs-derived file system you can simply overwrite some file in place with your own functionality. E.g., replace some unused driver code with your rootkit, which loads itself on probe.