Yes, exactly. Also keep in mind that SYS_BOOT only defines where from ROMBOOT loads xloader aka MLO. The latter then loads uBoot from arbitrary storage - depending on what's coded into xloader. Finally uBoot loads the kernel and tells kernel where is /-fs. So even without any control over SYS_BOOT[5] the natural method to do "multiboot" is to have uBoot (as well as xloader) loaded from NAND and uBoot then lets user decide where kernel and system should get fetched from. In case xloader in NAND is not found, the ROMBOOT will fall through to next source in boot sequence
So SYS_BOOT[5]=1 is only needed to recover from a broken xloader/uBoot in OneNAND, by booting from either USB, UART3 (HackerBus) or MMC1. While normal changing of boot device (and thus kernel and system) is done in uBoot which can have all the protection against attacks you could think of. And since OneNAND is first in normal boot sequence, if you locked your device there's no way for an attacker to bypass that security in uBoot, except of unlocking the device again which means disassemble and solder which can't get done without losing RAM content. So your encrypted filesystem is secure when your device has a lockscreen enabled :-) The less concerned user would keep the battery lid hallswitch connected to SYS_BOOT[5] to allow forcing of e.g. USB (xloader) boot in case some mishap messed up e.g. uBoot. For added safety you would want your system to erase from RAM any cryptokeys for your encrypted filesystems as soon as a battery lid removal gets detected on a screenlocked device.

cheers
/j