Hello.
SPD OTA, if that tuned up, update NVM also, I had seen few examples for different vendors, uses SPD, where package contain calibrations and security items data.
It is Ok. SPD not contain any permanent flags ( probably, it check some "factory code" unlock flag, which are transfer during update, but it specified to vendors )
Possible patch FW, but it can be fixed, if vendor find that fact as well. So, unlock again as variant is better, than long workarounds. Possible try find more accurate way ( i.e. code generation and etc. ) But need samples on hands and time for every model. With samples all is hard.
Nowdays much vendors release just only security patches for old devices. Good reason to "fix" possible unlocks