I had an x86 Android tablet and that was exactly as locked-down as an ARM Android device.
But anyhow: I can lock down a x86 laptop or PC the way I was describing within a very short time.
So again:
Put a password on the BIOS
Set Secure Boot on
Wipe all Secure Boot keys and put your own in there
Encrypt the disk so that you can’t just plop the drive into another PC and modify its content
Set the root user to “Can only login with private key” and don’t give the key to the customers
Remove all users from sudoers
Use chown root:root and chmod 700 on anything you don’t want the user to touch
And if a company was doing this to their products (e.g. the Steam Deck), they’d replace the first 3 steps with a custom BIOS which just doesn’t let you change anything in regards to Secure Boot and Secure Boot keys. That way, removing the BIOS battery won’t help.
There are countless embedded devices using an x86 PC at their core, where they did exactly that. (E.g. ATMs or medical devices)
Also Chromebooks are exactly that.
And the Playstation 5 does the same thing, only it’s based on FreeBSD.