I've read that but wasn't clear to me.
The verified boot public key flashed to the secure element can only be changed when the device is unlocked. Unlocking the device performs the same wiping of the secure element as a factory reset and prevents data from being recovered even if the SSD was cloned and your passphrase(s) are obtained because the encryption keys can no longer be derived anymore. The verified boot key is also one of the inputs for deriving the encryption keys in addition to the user's lock method(s) and random token(s) on the secure element.
Does this mean there is only one unchanging hash to check regardless of the os image getting updated on the phone?
I did lock the bootloader after installation.
So can I do the visual check now against those published hashes and that would be enough?