[marcan_42]

And this isn't the case on M1 machines. On M1s, all blobs that remain after you launch Linux are sandboxed behind IOMMUs, so they cannot take over the system. Ignoring hardware backdoors (which you can never be sure don't exist, on any system), you can be reasonable confident that an M1 system doesn't have a (functional) backdoor running while you're running your own OS on it. Very few systems have this property; mostly only fully open boot systems like the Pinebook or Talos workstations. ~No x86 system does, not even the ones running Libreboot since they almost always have hardware with full DMA access running blobs.