I haven't seen any exploits from application level getting access to the OS. There is basically one exploit being used on the switch which uses a bug in the nvidia chip at boot which gives you a higher level of access than the OS and all of the security checks. Its such a powerful exploit that can only be fixed by a hardware change that no other exploit is needed.
You didn’t look too hard then. Deja vu got released recently. It’s a chain from unprivileged to bootrom. Got fixed in 8.0.0, the very latest firmwares. Look it up at https://switchbrew.org/wiki/Switch_System_Flaws
It’s currently the only known chain, and might be the only one in existence. And yet it’s a big threat. In practice, A Dark Room isn’t a particularly interesting entrypoint due to requiring an usb keyboard (web browser is easier to open). But it's understandable that Nintendo would want to keep those entrypoint to an absolute minimum. Especially since newer hardware revision exist which fixed Fusee-Gelee, the BootROM bug you talked about.
Just because you haven't seen them doesn't mean they don't exist.
And, there has been one pure "software" kernel access released (for 1.0.0), as well as a handful of later kernel exploits that haven't been.
Nintendo is right to be paranoid about ANY code execution, because that is the first step to reducing the pool of end users who can then "root" their consoles.
