Since there still seems to be confusion about this: FG is considered a coldboot exploit, because it bypasses the actual bootrom and process of the Switch. It can not, however, alter it. Without injecting a payload from a tethered device it can not function.
Why? Because when you turn your Switch on, the first thing that runs is the bootrom, which calculates a hash of the firmware and compares it to the value it derives from the public key stored in the fuses of the Tegra. Both the bootrom and the pubic key can not be altered (they are burnt into the hardware and can not be written to) and if the firmware is not properly signed it will simply refuse to boot.
So why can Nintendo update the firmware? They have the private key, a solution to a very complicated mathematical calculation that allows them to sign the firmware as authentic. If you know the public key that corresponds to it, you can verify "Aha, it was indeed Nintendo, the owner of the private key who signed this firmware.". Trying to find out this key is considered more or less impossible, since finding it by brute force will take longer than the time the universe will still exist.