Not my space, but I think this would be a cryptography kind of thing. Burn a key into read-only hardware, lock the bootloader, require the kernel and drivers to be signed with a key the burnt-in key can validate. Potentially extend it to all executables on the device.

It’s closed in the sense that you can’t install whatever you want, not in the sense that Valve is going to make their own framework devs have to use.