I suspect any modified hardware would be targeted, not every single computer. You probably shouldn't order a computer online if this is your threat model, and instead pay for one off the shelf.
If a state actor is sufficiently motivated, even in a physical purchase, your computer will just get switched out for a bugged one at the cashier.
Common OPSEC practice re: buying hardware (or anything you don’t want your name associated with, really), is to pay an unaffiliated proxy to buy it for you.
>your computer will just get switched out for a bugged one at the cashier.
I doubt it. How would they swap it in time if you drove to a random Best buy, picked out a laptop (I think they still keep them in locked cages on the show floor), and kept eyes on it until checkout? Nevermind that they'll need surveillance on you 24/7 and have the exact model ready to go (or be able to plant the bug within minutes) to pull this off. It's much more feasible to only bug delivered/ordered equipment.
It seems really implausible to pull off without making a scene with a bunch of retail workers thinking you're trying to pull off some kind of scam/fraud.
If a state actor is sufficiently motivated, even in a physical purchase, your computer will just get switched out for a bugged one at the cashier.
Common OPSEC practice re: buying hardware (or anything you don’t want your name associated with, really), is to pay an unaffiliated proxy to buy it for you.