I know you can build a Debian system with debootstrap. Using debootstrap it should be possible to create a custom image. The main partition could be read only with separate mounts for anything that need to be read write.
Using containers it should be possible to create a filesystem image. I think the tricky part it testing the image and then updating the existing partition. Maybe some custom ostree tool could do the trick. If not there is always rsync and btrfs snapshots.
Also, not Debian, but https://github.com/cleanroom-team/cleanroom is very a DIY unusable system. I didn't build (most) off it, but I use it on my daily driver and a couple of other machines.