the cm recovery (i.e the one that gets built with the OTA package : out/target/product/hammerhead/recovery.img ) enforeces adb.secure, pre cm-12 looked like CWM, the new doesn't (and doesn't have a backup option either -not yet anyways-), if I clear the authorizations, I see a device in adb devices but it says simply offline, If I attempt to connect (ex: adb shell) it spits something that goes along those lines : "unlock the device, authorize then try again".

a locked bootloader will prevent you from changing 1 the bootloader itself, the recovery and the modem. Unlock it and you wipe the whole phone clean (including internal storage AKA sdcard in the case of a nexus device). if you install the public (you do not build it yourself makeing sure that it DOESN'T accept test keys and ENFORCES signature verification) build of any recovery out there you're at risk because of the simple fact that signature verification of OTA packages is either disabled or accepts the know, wildly available TEST KEYS!
Now ADB, since few years ago adb is always run in SECURE mode, meaning it will ASK when you connect the device a computer the first time (for that you need to unclock the device and ACCEPT), that is enforced in recovery (I don;t know about TWRP though, stcok CM does) that means if you never connected the device to any computer before, there's NO way in hell you're having access to ADB.
The only downside is backup in recovery, but for that you have Titanium, or helium they do a fine job (with titanium, you can even encrypt and upload the backup to some "cloud thingy out there")!.

Lock it. Once rooted, the bootloader is lockable/unlockable at will without wiping. Plus, you don;t need to keep it unlocked once the recovery is replaced.
Abd by default is in secure mode, meaning it need authorization, which is something honored by the recovery (CM's at least, can'st speak of other recoveries).
Last but not least, do you own builds and sign them with your own keys! (again CM's recovery installs only and only zips that are signed with the right release key). And then you can add the extra layer of encryption.
My beef with encryption is that it kills any chance of recovering the phone (cerberus, android device manager ... etc) if the phone is turned off.
Let's not forget the password thingy.

nexus 5 has the hardware to do it, just not used. the CAF variante of CyanogenMod (http://github.com/CyanogenMod/android_device_lge_hammerheadcaf) has that enabled. No nightelies for the moment but you can build it from source, give it a spin, if you'de like (bear in mind that there's no upgrade path from SW encryption to HW one, ie : a wipe is required to go from on to the other).

how a bout a simple MitM, forcing someone to download what they think is the legitimate firmware when they are not (not that publishing any hash on said would counter that ).

20 minutes ago I was white and gold (pic in 1st link). Now,it's blue and black.
My GF was next to me, and saw the opposite of what I saw.

the nutjobs do not need that, but the provocation expands their recruitment pool.

by the cops, may be with court order!

virtualbox is free!

when it's dead!

what kind of support does a carrier offer exactly?

No it is no old. I have one and it is still working perfectly. Running the latest version of android (thank you CM)

sorry I forgot to quote. I was referring specifically to this

What's more so : there is no publicly "available android update" that includes a patch for 4.3-.
If it were in existence, rebuilding the components is easy, getting them on a "unlocked -as in bootloader- phone" is the challenge. But if the bootloader is unlocked, chances are the user is tech savvy and the device is in "the supported devices list" of some custom android project out there (CM/AOKP/OMNIUM/PA to name few).

these are to diffrent types of locks. One is a SIMLOCK : cannot use any other SIM card, the other is bootloader LOCK (no way of installing anything other than the SIGNED/blessed OS/FIRMWARE from the MANUFACTURER). in regard to the second type some phone are better than others : can unlock the bootloader easily, with provided tools (no need for exploits).
If the bootloader can be unclocked you can always go the aosp/custom way, but there will be a point where that won't work, mainly because of the non opensource components.

in theory it could, but in practice not so much, why? see your second point !