That's not really toddler <i>proofing</i>, though, is it? You've <i>reset</i> it, but next time the kid gets to the keyboard they can do the same thing. I was expecting to read about a setting to switch systemd-boot to read-only mode or to require a password to do anything except the default boot.
All of the tooling that's been developed by systemd around booting, secure boot, TPMs, and disk encryption has been wonderful for embedded linux development.