Not dodging anything, already answered that question above. You can't verify 100% of everything running on the device 100% of the time. There are no good/suitable open source SE's, that's why good HWW manufacturers use the secret splitting architecture that they do today.

Being able to install auditable + reproducible open source code, signed by either yourself or the HWW manufacturer, to an entirely air gapped device is a HUGE improvement over something entirely black box.

Can't believe the notion of this is even being contested.