Right. So similar to Harden GRUB bootloader using bootloader password - #6 by Patrick there could be a corporate setup use case.
A malicious employee could manage to corrupt some system files to then get a dracut recovery shell.
Or the complex VM related attack you’ve described.
We could set rd.shell=0 rd.emergency=halt in security-misc. (And then undo the setting in debug-misc, if not already the case.)
But we would only set it for GRUB_CMDLINE_LINUX_DEFAULT (default boot entry) or GRUB_CMDLINE_LINUX (all boot entries, including recovery boot entry)?
The kernel parameters rd.shell=0 rd.emergency=halt can be modified or unset from GRUB boot menu. But those who worry about that, can either set a BIOS password and/or a bootloader password, depending on their threat model.
Setting it for default (non-recovery) boot menu entries might makes sense. Because those who want to protect Linux recovery mode boot entries, need to set a GRUB root password anyhow.
Another related solution: Remove Linux recovery mode boot option from default GRUB boot menu