I think the right way to do this is with snapshots, the way opensuse microos is doing it, for example. You get the best of both worlds that way - you still can easily install packages into the OS to customise it, and you do get painless updates and rollbacks. There's a very narrow use case where you _do_ want images, but for that you'll want to control the complete secure boot chain for attestation, so I'd dismiss it here.

Fun fact, a bit over a decade ago we were probably the first one ever to publish a distribution to rely on btrfs snapshots per default with the Jolla phone. Sadly that did bite us due to reliability of btrfs at the time, and later phones switched to ext4, but with a stable filesystem it's a nice mechanism for handling updates and factory reset.