The specific application is around complete replacement of dropbear with OpenSSH in the firmware.

To allow login after a clean flash or in failsafe mode, sshd_config needs to allow root login without password as one approach. OpenSSH should, by default, block root login in all other modes. My thoughts were to put a "scary" permissive sshd_config on the squashfs image that would be overlaid by the "stock" and relatively safe one in normal operation, without a user having to create one. A couple of other files might be in the same category, such as shadow.

This approach is attractive to me as this would keep the image consistent with other OpenWRT images when running in failsafe mode.

I'm familiar with how to add files to the squashfs image

https://openwrt.org/docs/guide-developer/build-system/use-buildsystem#custom_files

but would like to additionally add a file to the initial overlay file system.

If it isn't straightforward to add files to the overlay, I've also thought of enabling a "recovery" user in the firmware, as long as sudo is also in the image and they are granted privilege to use it.

There are a couple hints in the make files such as

include/package-ipkg.mk: ifdef Package/$(1)/install-overlay

but I haven't found any documentation on it yet.