The best approach (imho) is three fold:
Peripheral firmware, volatile or not, can be overwritten by host. This is at hardware or interconnect level where malicious firmware can’t block it and will be overwritten.
Host has some cheap, abundant flash or something for upgrades. Plentiful helps for both mitigate security aspects of wear-leveling and strategy of keeping old firmware until new installs correctly.
Host has a ROM that contains trusted, initial loader that loads, integrity checks, and signature checks the main firmware. This part should be built to high-assurance standards given it might be a service visit or recall if it fails. Good news is that key components have already been built to those standards.
Optional. Old-scool method was to use EEPROM’s that were themselves re-writable if you flipped a switch or messed with a jumper. That makes it require physical access to the device to modiy. Unless some flawed setup still allowed a software bypass. This idea is so old a mainframe from (IIRC) the 1970’s used read-only, physically-replaceable firmware. Swapped out like a disk or something.
So there’s your solution. Have at it system builders.