My guy nostr:npub129puxu7lrd2g5a7hnmr57fe9t5ffk62m2gklkkl5xjvt5j6srhuswhhud3 would like to have a word with you about firmware and ensuring your physical hardware isn't compromised.
not clear how that is done exactly, so we might be fucked.
Discussion
For desktops/laptops your best bet is https://libreboot.org/ the fastest one you can get is an i5 Thinkpad T480. Ideally flashed by yourself and all that.
https://system76.com/ for modern computers. Coreboot firmware with ME_cleaner, but with weaker ME disabling guarantees than libreboot. I wouldn't put my most sensitive stuff on these, but a great use case for something like QubesOS where you need lots of threads to maintain performance.
Phones are mostly a lost cause until we can get free and open source firmware SoCs. GrapheneOS has great privacy guarantees on a software side, but the Titan chip is a major black box, same with the modem and the SoC as a whole.
Honorary mention to puri.sm too they also have similar offerings to system76.
Note too that when you get into firmware backdoors, you're getting into expensive targeted attack territory. Mainly with compromised trusted execution environments and trusted encryption chips. Passive surveillance is nearly impossible at this level and thus, for most threat models, a spyware free Linux distro and GrapheneOS is more than sufficient for extremely strong privacy guarantees for most.
If you're hiding thousands of Monero from state actors then you're going to want Libreboot + Kicksecure live mode + Veracrypt hidden volume for wallet files or something similar. As your threat model decreases you can compromise on these measures.
Libreboot/Dasharo is the only viable option from what I was able to find. Only Intel ME can be neutered; AMD, Apple Silicon or mobiles not possible. You can buy ME neutered laptops, desktops and/or servers here https://shop.nitrokey.com/shop?&search=nitropad