RPi connects automatically (wpa supplicant) to SSID if you use their imager (not dd) but you need access to the router API to get the pi’s IP (or nmap -sP <network>) and then a script automatically configures the ssh private-public key on first initialization which is default rsa but you can text box in a ssh-keygen ed25591 (521 bit 100+ rounds).

Beagle Bone or some other SBC may be preferable if you want to avoid wireless connections for sensitive firmware operations. Make sure your router is locked down tight because some asshole is supposed to hostile takeover your pi but there is no way for him to do so without an NSA because the ssh crypto curves are strong (no civilian breaks rsa 4096 let alone the newer quantum resistant ed25519).

No way to connect to rpi without peripherals because defaults need to be changed via terminal first for UART serial and WiFi ssh. Editing bootfs and rootfs (unless you want to make time-consuming scripts) won’t do it. This is probably by design since rpis ship with default Google DNS for telemetry and data mining. Suggest changing resolv.conf * so Google doesn’t 8 all your pi before you get some.

*After ssh configuration, rpi uses DNS of router.