If I were to design such a system, booting to full functionality would require human intervention prior to launch, but would allow a reboot to a separate partition with enough functionality to fly the drone back to base. Data, as was pointed before, would be asymmetrically encrypted and would require a separate key that would never reach the drone.