You cannot boot from the SD card without having enough access to the device to modify the initfs (for someone not highly familiar with Linux, this would involve using fanoush's initfs_flasher, which must be run on a booted device). Either way, even if one were able to boot to something other than the rootfs, getting the rootfs mounted takes a bit of work from there.

Not easily over USB (and definitely not while the device is booted), but do not store anything of importance on either the 2GB internal flash or the MiniSD card.

I think probably the most important thing here is security through obscurity. Does the guy have any background with Linux? If so, any background with embedded ARM devices? There are no easily installable monitoring solutions available from the internet, and getting one running on the device would be quite involved.

Obviously, as has been stated already, physical access trumps all, but even with it, one would need a strong knowledge of Linux (and in particular, ITOS/maemo) to accomplish anything with it.