[extrapickles]

Adding an extra layer is expensive (and done in pairs). As others mentioned, when you go to manufacture your boards, you export each layer into its own file, zip them all up and then send/upload the files to your manufacturer. Either you will notice the extra files, or when you put in your order, the manufacturer will reject the order as you gave them the wrong number of files (eg: you paid for 4 layers, but sent them 6). The file format of the layers is basically a vector in ASCII of each trace, so there is little opportunity to hide extra stuff.

More and more manufacturers with online ordering show you images of what they think each layer looks like, and any modifications unless they are very slight will be detected then. You always review each layer in the manufacturers tool as there is a host of things that can go wrong (layer ordering, mirroring, alignment, copper vs solder mask vs silkscreen layer types).

Adding extra components is out too, as the Bill of Materials is exported to CSV, then imported into several component suppliers websites. Any non-basic component is carefully scrutinized for need as they are expensive (and these days hard to get) and to make sure you have everything you need to actually build the board as any non-trivial board requires multiple suppliers to provide all of the components. Even if you missed it then, assembly charges a significant amount per unique component they have to place on the board (eg: placing same resistor twice is cheaper than 2 different resistors).

Once the board is assembled, it will then likely undergo EMI testing to comply with various countries limits on how much RF can leak out of the product. In quite a few cases, final testing is done by a 3rd party lab. This basically limits whatever data exfiltration method to be short range.

If someone wanted to be evil, they would have much better luck on the software side of the product rather than at the board level.