My apologies. I meant: I would do the PiKVM exactly as you described, then find a way (perhaps via an IP-controlled powerbar) to powercycle the box as needed. But I would use some other remote control software, and only the PiKVM if stuff goes really wrong.
I have a similar set up and similar requirements from users in my family
I'm around 4400km away. The box lives in a restricted/locked down VLAN. I'm fortunate in that I have gigabit fiber at both ends now, so I also have a wireguard link.
I use MeshCentral2 for control in userspace, a PiKVM in case bad stuff happens, and I am able to cut power as needed via the powerbar. I leave a USB key that I ask my parents to plug in, if I need to reinstall the system. Virtually all of the time, MeshCentral2 does what I need. I only use the PiKVM if/when I need to actually go into the BIOS or reinstall the system. On some Windows systems, I also do an install of RemotelyAnywhere (which is local-only) which I can access over wg. This is useful as a backup.
I install Intel DC SSDs in the system with PLP. I think mine has an S3610 in it.
As they don't have root privileges, I haven't had any problems for extended periods of time this way. I'm usually on site once a year, and that's when I do upgrades.
I had an ISP snafu (they pushed bad firmware and remotely reset the 'modem', and it started doing NAT, and my router no longer had a publicly routable IP) and the MeshCentral2 connection was maintained thru the NAT. That allowed me to remotely put the ISP modem back into bridge mode, which was fun...
I connect the ISP into a managed switch, so I have 2 redundant PPPoE sessions established, directly from the fiber. In case of router failure, I have a backup way to get in and fix stuff.
I've had some RAM go bad before. I sent completely new hardware (an entirely new system), and had them slowly/painfully connect the device to the PiKVM, attach my USB key, and I did the redeployment remotely.