Lemme be very clear:
On up to 4.1.0, we have a means of triggering full privileges code execution through softwarehax. This softwarehax requires user interaction. All of our current hax does.
Because the Switch uses ASLR, static exploits (not attacking scripting engines) are extremely unlikely to ever arise once you go down to OS-level exploitation. There's a flaw that allows for a "partial" ASLR defeat on < 3.0.2, but it's extremely difficult to use -- there's currently a $200 bounty from qlutoo and I for anyone being able to trigger a non-scripting engine aslr defeating exploit (e.g. via a savegame), and frankly I don't expect anyone to claim it any time soon. It's extremely difficult. I think in the long term, maybe 1.0.0 could get a solution where you turn it on and it boots into softwarehax. There's a theoretical vector that is almost impossible to use and also has no accompanying savegame exploit on < 3.0.2. Higher than that, your odds of getting what you'd call "coldboothax" are best summarized as followed:
"You're fucked."
I would genuinely maintain approximately zero hope.