I've used systemd-sysext's to add system level software to my Steam Deck withough having to unseal the root partition. It's slightly annoying in that that I have to rebuild the ext's every time the system updates, but otherwise they work great.
I just use an overlayfs of /usr pointing to a folder on my SD card. Then I just use their arch.. Every 3 to 6 months I pop out the SD card, update their stuff, then pacman install a few dozen packages main packages (and the quite a few more dependencies) that I need. I put it in a script for convenience.
The only issue I've had is their static snapshot of arch has some inconsistent dependencies from time to time that need manual handling, and occasionally they are missing a cert change so you either choose to trust the package from their server anyway and install it with a cert skip, or do without.
Aside from that, everything seems to work well, and if there were any problems, well I can always just reboot with the SD card removed.
I was worried about how /etc might interact with their stuff, but seems fine so far, and I assume they left it writeable for a reason.
I do do backups just in case.
With static binaries that is not needed (and you can use OS=_any in the extension release file to mark them compatible).
If you want to repackage distro binaries without recompilation, you can have a look here: https://github.com/flatcar/sysext-bakery/pull/74
There are two tools, one can bundle the needed libs in a separate folder, and the other one works more like Flatpak and uses a full chroot. Since you already know what files are needed at runtime I think you could try the first approach, otherwise the second might be easier.
