Indeed, this is a valid question.
I think that when ATF (Arm Trusted Firmware) is in use, both BL2 and U-Boot itself are generated and it is possible to replace both.
According to the below tutorial, after compiling ATF, there should be bl2.img and fip.bin files and BL2 should be put in boot0 partition (bl2 partition does not exist for eMMC in GPT).
https://forum.openwrt.org/t/tutorial-build-customize-and-use-mediatek-open-source-u-boot-and-atf/134897
However, it might be possible that security goes even deeper and BL2 image itself is verified by BL1 BootROM...
Secure Boot
So many open questions with those routers...
Cheers,
Przemek