we haven't really done much work related to security.
for sure the TZ firmware is the same (at least we think so, this is a black box to us as well).
however the downstream Android kernel might be doing some setup/init that we aren't doing with the linux/upstream kernel. there is a 'qsee' kernel driver in the downstream, and if you want to use secure apps on linux/upstream you will need to forward port the qsee driver (and any of its dependencies, first.
even after that, it's not very clear (e.g. we don't have the guarantees) that it will work, since i don't even know if the secure app work on Android on DB410c...