Hi Olivier, welcome to the forums!
I think your research so far is pretty accurate.
The Hikey is a good platform for developing and testing secure applications; it is cheap, contains 64-bit hardware and the secure world is accessible for people to use however they like (this is not true of all platforms). As a result is has good OP-TEE support and just enough of the SoC security hardware is enabled to prevent the normal world from directly affect secure world memory. The current settings make us safe from Murphy (a developer who makes mistakes) but not from Machiavelli (a hostile actor). This is sufficient to provide a development environment where we can exercise most use-cases, including the ARM trusted firmware boot flows.
However, as you have observed, it is a development vehicle only and is not suitable for secure deployment. Specifically I’m not aware of any way to securely load ARM trusted firmware’s BL1 bootloader.