the 4th explanation is totally unrelated to why we can read the OTP, up to 2.1, the CFG_SYSPROT9 config register only had it's first bit set (as in, bootrom9 lock mechanism), but its second bit, the one locking access to the OTP area, was not set, so we could still read the OTP area from arm9...