Ok, so TL;DR version is that booting stock through hekate is safe if I want to use AutoRCM, for now, for all we know.
I was thinking about keeping fuses for Caffeine, but then I'd need two emunands. I don't see Caffeine being any more convenient than RCM injecting. If there was a possibility of a persistent coldboot into CFW, then I'd wait, but I don't think that's in the works for 4.1.0. That fake account linking through Kefir seems easiest. Although I'm not a fan of using random Russian hack packs, I think I'll be okay this one time.
Thanks for clarifying all the info! I think for now, the best setup would be to keep sysnand updated and online, and emunand offline (obviously) for other things.