shantyspruce Thank you for your patience so far.
For simplicity, we just flash the Heads firmware version for now for any orders with Heads firmware. After the first flash, Heads recognises that there is no GPG ring and asks the user to do the initial setup.
We are limited to the current options that Heads give us, I don't think it is feasible to add a restriction on the recovery shell, unless Heads offers an option for this. I haven't seen this so far, but maybe I'm wrong?
TOTP is optional and part of Heads, it can be set up during the re-ownership.
HOTP verification is optional too, but always recommended.
I think we would need to add an option to our website to meet your wishes.
However, the problem is that creating a policy for better security for only one user would be financially unattractive. I would assume that most users would rely on the anti-tamper package in case they are concerned about tampering during the transport.
If anyone reads this and shares the same concerns as @shantyspruce, please join the discussion.