Judicious abuse of the USB startup script could accomplish this, and would be an easy and painless revert. (just unplug the drive, and reboot the nas) For permanent changes, re-baking the cramfs container that gets mounted at /usr/local/modules (It is physically stored on /boot which is a rw ext4 volume) would let you completely and persistently change the webroot (and thus the whole GUI), and a great many system things, as the existing initrd calls a system invocation script in /usr/local/modules/script which does all the user init stuff (which you could re-bake by baking the cramfs container again)
I may consider researching how to make use of the persistent partition (HD_a7) to completely replace the system contents of the cramfs container, and patch into the root FS with symlink creation, to make the Gen2 more user configurable (persistently) like the Gen1 is. That is sure to void the warranty though. (current thought is a hyper minimal cramfs container, that just contains a script to bounce control back to the local, editable contents of the persistent partition, because the initrd explicitly mounts said cramfs container, then jumps startup execution there. Keep it around as a legacy artifact to avoid modifying the initrd and as a known early hook in the boot process, then jump out and do everything else outside it.)
It would be hilarious we WE fixed the security holes being discussed.