nope, AFAIK nobody/nothing is allowed to mess with system files if SIP is enabled.
Soo we could be faced with a trade-off. Lose a bit of system integrity/security whilst allowing auto-replacement of the efi files (boot.efi with SIP forced off), or stick with SIP and "find" another way to deal with updates....
How about modifying the Recovery Partition?
After an Apple update where they overwrite the boot.efi files, we guide users to boot into Recovery, run the fix, reboot?
(That'll work until Apple updates the Recovery too !)