[Jedd]

This is not true.

Firmware is typically copyrighted, large, obfuscated, and executable on your system.

A password is a string that you can examine and offers no intrinsic threat - either exploit, or legal.

As per the link I provided to you, Debian's policy is that free firmware are shipped in the distribution -- non-free firmware requires you add the 'non-free' and/or 'contrib' parameters to your repository lists.

There is no need to wildly speculate about the motivations of the Debian team -- eg 'send a signal people should buy certain devices' -- when their motivation is explicitly stated.

The DFSG dictates non-free software will not part of the standard distribution. But they've made it easy to pull those files in (as above) via a one word addition to one line of your sources.list file.