Capturing a ship without ship to ship combat first softening a ship should be highly unlikely but not impossible. The primary problem I have with the Emerald Chain taking Discovery is not that they succeed, but how we see none of the work required to bypass Discovery's defense. Worse, based on what we see Discovery has fewer defenses than any ship or station in the TNG period, and the only explanation we get afterward amounts to "Tilly sucks." While every defense and offense has a possible counter, we get neither.
First, and most obvious are shields. Even weakened shields can block transporters, and there is no indication that Discovery's shields were down after decloaking. Yes, there could have been a period of shields down after decloaking, but we get no hint, implication, statement, nor display of that. It stands to reason that future systems would lack that weakness given the Scimitar has multiple layers of shields while cloaked, thus no cloak induced shield drop weakness. Rare technologies of the past become common down the line.
Peer shield and transporter technologies work against each other as intended unless we get an explicit exploit or vast technological disparity. Despite the Chain being stated as more advanced than the Federation there is no indication of this being a vast advantage, such as between Borg and everyone else, or Voth and everyone else. For the most part, the Chain is setup as a peer of the Federation given how neither wants a war with the other. If the Chain had been shown researching or exploiting a design weakness that would be a different matter, but we don't get that build up to explain the ease of intrusion.
Second, lets assume the Chain bypasses the shields, next they must safely enter the hull, which can be done either by piercing the hull or beaming. Hull piercing should be extremely difficult with programmable matter, because it should be able to reconfigure to push intrusions back out, or even anticipate intrusion and reinforce in response. Constant attack might be able to counter adaption, or perhaps creation of an intrusion conduit using one's own programmable matter. Except that might not be needed, Discovery has a glaring hull weakness, they never close their shuttle bay. Then there are transporters.
Transporters have had purpose built counters since TNG, they are never used on ships in that period, but nothing we know of was stopping them. Further, the Chain does use such a system on Discovery once it is taken, but this blocks all beaming for everyone including themselves. With the technology being so old there is no reason Discovery should have lacked non-shield transporter countermeasures. At the very least it should have had internal shielding layers to stop unwelcome beaming. Given how one can beam through one's own shields, there is no reason to lack internal shielding with differing beaming clearances, which would allow friendlies to beam at will, but stop unidentified beaming. I would go so far as to say there should be no reason they lack general anti-transporter fields which are coded and can allow only friendly signatures.
Bypassing this would be simple, have it so Book's device is secretly a backdoor to any system it is connected too. Have it that he isn't as smart as he thinks and inadvertently sabotages the ship. The device then transmits in real time the security frequencies or codes to let intruders in safely. Worse case, it isn't just passive intrusion like Geordi's hacked VISOR, it allows alteration of systems.
The enemy has successfully entered the ship, so third is internal defenses. Internal shields have existed since TNG, and they can be erected not only at specific places but anywhere desired for instant confinement. Bypassing them would require battering them down, or having personal shields frequency matched to the internal defenses, or transphasic personal cloaking. As near peers, if the Chain has phase cloaking, the Federation should have an anti-phase cloak, like the method for re phasing in "The Next Phase" or "Times Arrow."
Transporters can be used to send intruders to confinement and strip them of power for their devices, or strip them of devices directly. The defense for that is personal shields or transporter inhibitors to foil lock-on.
One of the hardest defenses to defeat would be physical ejection from the ship, by way of the ship using the programmable matter hull to reconfigure around intruders and send them into vacuum. One would have to avoid getting near the hull and have a vacuum rated suit. Beaming back in might be the only defense, but if the ship has active beam scramblers that might be a deadly bet. In the worst case scenario, all beaming could be blocked by scramblers, not even allowing friendly beaming.
Deck gravity can be increased to deadly or disabling levels. This can be countered with personal gravity systems, but a portable system will have lower duration than that of a ship system.
Holographics and programmable matter could reconfigure corridors into mazes and kill zones. Weapons and soldiers could be made on the fly. Even worse for intruders would be holographically flooding corridors with avalanches or instantaneous solid rock. Robust anti-holographics would be required, and as well as anti-programmable matter programmable matter to counter physical versions of the same defenses. As seen with Su'kal's holodeck, holodecks can remake people on a physical and chemical level and read minds, so simply turning a person into something helpless and reading their plans from their minds requires specialized defenses. This should also mean people can holographically enhance themselves through personal systems.
If the universal translator and holodecks read minds, and a psychic signal was artificially enhanced, it stands to reasons psychic weapons could exist in the 32nd century.
Fourth is the Sphere Data. It was shown as defending itself from attack, so a special effort must be shown in circumventing it and its enhanced defenses. While surprise and speed can explain an initial invasion, the final steps must show a major effort quickly hacking the Sphere Data's defenses away. This could be explained with the Chain having an overwhelming programming advantage over the Federation, as well as its backdoor intrusion, but it must be explained. It cannot simply be assumed, given how critical the Sphere Data self defense is to the story of season 2 and the existence of season 3.
Alternatively, have the chain beam explosives to key systems as they send personnel. Destroy the Sphere Data at the source, unintentionally. They then use programmable matter to rebuild the computer core, and the Sphere Data survives because it happened to have data in independent units, such as the DOT's.
