You should be safe to avoid this unless your threat model includes a trusting trust type exploit on Nix generating the ISO.
Also, just realized it'll be a little more complex because you'll want to use home-manager to install Firefox plugins and do about:config configuration.
Here are some examples of that in various contexts:
1. Install Nix in a VM or on a clean HD
2. Customize Firefox to my liking
3. follow the two steps you highlight
4. Load my created iso in a VM
Right?