Ah yes - the joys of "security == compromise between accessibility and not" ... and PXE is a super simple (and thus - dumb) and "not exactly resilient" (to put it mildly) situation.
If it helps, you CAN specify "a single device" (or however) per subnet to be the PXE-rep ... so it's "not random" if you need it to NOT be so. You can control which clients do / do not take par in the self-election.