Just share my example here.
Our student club manage "kiosk" machines in our campus library, and our solution is network boot + prebuilt images + tmpfs overlay. These kiosk machines have their internal drive (HDD or SSD) removed and everything but "IPv4 PXE boot" removed from their boot options. Our PXE server also sends customized boot options for these machines so only the customized OS is available.
When these kiosk machines boot, they pull our squashfs image (~700 MB) into RAM and combine it with a writable tmpfs with overlay2. This is all done in initramfs so normal (userspace) system behaves identically. The OS image is based on Debian and boots into a "regular" (UID 1000) user automatically, launching any predefined applications upon login. We also install a crontab to reboot these machines at 4 AM Saturday morning to ensure they get updated regularly whenever we push new config or images to our PXE server. This also helps get rid of any possible leftovers from normal use throughout the days.
Security-wise, the regular user has no shell access (its login shell is set to /bin/su so you need root password) and very limited network access. There's an iptables/ip6tables whitelist for this user so only library-related websites and services are accessible.