@wschilpzand pairing is only insecure during the initial connection phase. Once the devices sync up the connection should be secure. I haven’t looked at the implementation in DeviceOS closely but they probably have used the “Just works” configuration. There are currently no other ways to establish a connection.
One thing that you can do, that’s a bit more clever, is you can use an asymmetric key share over BLE. The handshake is secure and once it occurs, all data is encrypted. The hard part is making sure that the keys on each device stay secure. Espressif had this approach for their OTA functionality. (Link below)
There’s some extra work to do there but I think it’s possible to put something together that is MITM resilient.
I’m not an expert on cryptography/security so take all of this with a grain of salt.
Added note: there may be a clever way to get OOB (out of band) auth to work as well. It all depends on your application. As far as I know these features are within the Nordic SDK but not exposed in DeviceOS’s