What about asserting write lock on the flash? By piggybacking a copied (but encrypted), identical flash part, or an ICE that allows reads from the original flash and writes to another part, the os wouldn't necessarily know there was anything nefarious going on.
Besides, if this particular information is that valuable, they would have no problem paying for it.
Which brings us back to: it isn't the device they want cracked, but governmental oversight of (civilian) encryption.
I'm not sure but I think the problem is that the data isn't just encrypted with the user's passcode, it's encrypted with the passcode entangled with the private key of the secure enclave chip (which, presumably, is unknown to anyone).
So they can't just attempt to brute force the encrypted data, as the encryption key would be 256 bits or more rather than just a 4 or 6-digit numeric passcode. That's why they want Apple to open the OS up to brute force passcode attempts.
Edit: there's no secure enclave chip on the phone in question, but it seems that iOS 8 and later encrypt the user data with a separate private key combined with the user passcode.
I'm not a crypto expert so take what I say with a grain of salt, but...
The password is tangled with the UID burned into the device at its creation, creating the 'passcode key' that secures the phone[0].
If extracting the UID is somehow possible, it doesn't sound impossible to try all 10,000 combinations (assuming the a 4-digit passcode is used) offline, on different software.
One would hope that the part where this UID is stored at least have all the basic tamper proof protections so it self destructs if tampered with, such as e.g. many SIM cards does.
