Yeah the cheapest way, too bad the rpi 4/5 and future versions make it possible to write to the eeprom. Atleast it sounds like the newer ones have a way to make it write protected via a jumper or something.
Sure, but I mean the chances of someone creating a virus specifically to run when plugged into a pi running pi OS or other Linux os with the purpose of attacking the eeprom, delivered by dropping usb sticks in public is so ridiculously small it has to be functionally non existent.
True, you could probably solve that by breaking the casing off first if you’re insistent on trying it. They don’t look like a normal usb stick on the inside. Also I’d imagine it isn’t really feasible to just go dropping them around but maybe you can get them cheap enough somewhere.