1. Doing the password reset
2. Reboot straight back into recovery
3. Update your new password back into your old password
4. Boot into macOS, your default keychain will unlock but you'll still have to re-authenticate to iCloud since your machine-user identity combo will no longer match with what iCloud expects. (not sure if this is part of Octagon Trust, but there are various interesting layers to this)
Check the escalation path of key revocation for example where you don't just have longer time delays but also stricter environments where new attempts can be made (near the end): https://support.apple.com/en-gb/guide/security/sec20230a10d/...
Plenty of not-very-granular "enterprise" systems out there, it's not exactly unique to not always have full ACLs on the smallest of objects.