Disabling remote SSH, OTA and public url locally

Hi, for a product we’re developing a requirement which has come up due to security and privacy concerns is to allow the device itself to disable remote access, updates and also the public URL.

For the public url unless directly configurable we could simply use iptables to block the balena VPN from accessing any of our containers.

For updates I suppose we could also use a lock file to prevent updates.

But when it comes to blocking remote access with SSH, is there any way to do this?

The idea is that the end user on e.g a configuration page will be able to toggle these features.

Or perhaps there is a way to simply make the device not contact Balena if the user chooses to do so?