Yes, that’s my understanding, on both counts, as well, @Nick-Triller.
This, as well as the first initialisation of the Vault obviously, are one of the two operations that really should be conducted as ceremonies: that is, they should be manually initiated, with all the required parties in the same room. (This isn’t always possible, of course, but every effort should be made to meet this ideal.) [Edit: there should always be more than one set of eyes on the keyboard when a root token is in play, right up until the time it is revoked. And, in the case of key shards, shard/key holders should provide their own keys as part of the ceremony, so the unseal keys are never exposed.]
The other operation is Disaster Recovery promotion of a secondary cluster. @tmiroslav, this is actually an operation that you can prepare for in advance. So, generate that DR promotion token as a ceremony, but, if such ceremonies are even more problematic than they are for most organisations, then do it during initialisation, for example, and hold on to that token for, well, a disaster.
There is a denial of service risk to that token falling into the wrong hands, but there are risks associated with everything, and I would argue that whatever means you’re using to circumvent ceremonies with bodies in a room during a disaster may be far riskier. As with everything around security and security products: conduct a thorough threat assessment, and make sure it is up-to-date, reflecting your actual landscape in terms of actors, attack surface, available methods, etc.