Allow the users to install their own keys. Changing keys invalidates all encrypted/secured data. Which means you have to export the data if you do hardware changes and reimport it after supplying your own. Once you have your own keys installed you could sign additional hardware with them.
If apple is a viable root of trust then you yourself should be too. There's nothing magical that only apple can do.
I believe that Apple is burning their cryptographic key into readonly memory, so they would need to build out a readwrite pipeline and provide a secondary keystore option for "non-default" users that is writable by the hardware itself. That's a tall ask, but it's feasible, so we're good so far. The benefit to expert users with crypto competence is clear.
How would this benefit third-party repair shops, though?
The point is that you'd backup the keys in advance (when you initially set up the machine) and when the machine dies and your T2 is fried the repair shop can just replace it with a new T2, load the backed-up keys into it and give you back your machine with the data intact.
If apple is a viable root of trust then you yourself should be too. There's nothing magical that only apple can do.