Sure, but they were designed with that in mind, and have presence and authentication requirements, that, as I understand, are not retro-fittable to older devices.

My claim isn’t “it’s impossible to implement a secure bootloader that also has escape hatches”. I’m saying it’s borderline impossible to do that retroactively for a fleet of obsolete devices, in a way that doesn’t compromise security of those.