The issue is that you must have the internal drive recognizable and bootable and that the machine won’t boot with a corrupted/failed internal drive. I don’t know if that is an Apple decision or a physical/logical part of the security model. Making a bootable clone is as you say possible…and I personally wouldn’t mind if it was sealed and signed and only updatable if it was the current boot volume…Ric’s problem was that he may have had an up to date external boot volume with an associated data volume that had a current clone…but the machine itself is DOA with a bad internal drive. If that was a deliberate choice by Apple…bad idea IMO unless there’s something I don’t know/understand about the security model.