First, sorry for my PC terms like BIOS while referring to a phone. Not completely schooled up on the current names, but I think you'll understand my thought.
I know this may be a slightly off topic, while related. Where would you think the code to pop the efuse is. Would it be in the BIOS level, possibly requiring a JTAG interface to replace with code that will not pop the efuse? Maybe I'm way off track, but I think this type of security would have to be supported to the BIOS level.
If at BIOS level I think you may be able to flash a new bios that will not pop the efuse regardless of the recovery or ROM being used. I understand that a JTAG interface with these phones is beyond what most of the ROM users would be capable on there own and that most devices would have a physical trail from being JTAGed since soldering on the board is often required so a warranty would be out of the question. But, it could allow for you use the device in a corporate level is you corporation has a BYOD program and on the weekends or such play with other ROMs/rooting without having the KNOX system report the device as "compromised" or by a second device to toy with.