We discussed this in the identity working group today, thanks for that @nmattia! I appreciate the pushback with concern to security. I understand that implementing code in the IC that allows for the injection of a new root key has huge security ramifications. However couldn’t this change be limited to the local replica, without affecting mainnet code? I’m not familiar with local replica architecture, but I imagine there might be other examples of code that runs on local replicas which could/should never be run on mainnet. I’m not quite ready to retire this line of inquiry just yet!
We also discussed dfx pull as a potential solution, since it might make it trivial for any project (II, NFID, etc) to provide a local integration path that takes just a few cli commands. Let’s find the latest update and link it here.
Edit: looks like dfx pull is coming in an unreleased version of dfx 
DFX Updates This Week