Just to clarify, my point about liability was more about if someone gets hurt by the controlled and it goes to (potentially criminal) court for negligence. In this case there is going to be a witch hunt and everyone will try to deflect blame, thus your non-standard modification will be under much scrutiny regardless if it actually played a role. In fact judging by the original reliability (or lack thereof) of the system, you might get blamed for failures that don’t actually have anything to do with your modification.
If there’s no risk of injury/death then the stakes are much lower and indeed since the vendor software itself is already shitty you can’t really make it any worse.
To add to my original comment, if you want to pursue the Wi-Fi SD card route, I suggest using any of the known vulnerabilities to get root on the card and then reverse engineer the card (as in how the SD side is driven) from the inside.
This would effectively let you skip the whole “build a device that emulates an SD card” part.
From there I’d suggest building a Linux image from scratch using Buildroot or Yocto, so you start with a fresh and modern base and don’t have to fight with the SD vendor’s firmware or deal with their vulnerabilities (which might be a liability in your case).
Feel free to get in touch (email in my profile) if you want more guidance.
If there’s no risk of injury/death then the stakes are much lower and indeed since the vendor software itself is already shitty you can’t really make it any worse.