Note too that when you get into firmware backdoors, you're getting into expensive targeted attack territory. Mainly with compromised trusted execution environments and trusted encryption chips. Passive surveillance is nearly impossible at this level and thus, for most threat models, a spyware free Linux distro and GrapheneOS is more than sufficient for extremely strong privacy guarantees for most.

If you're hiding thousands of Monero from state actors then you're going to want Libreboot + Kicksecure live mode + Veracrypt hidden volume for wallet files or something similar. As your threat model decreases you can compromise on these measures.