Basically none. You’ve got the ME (or AMD’s equivalent) on the CPU anyway so you really can’t avoid having some kind of root kit. Older Intel hardware that doesn’t have the ME or can be neutered is the best bet, and these machines don’t use UEFI anyway. Otherwise you could go for a non-Intel/AMD architecture, but there aren’t that many of those around anymore.
Disabling all of the parts of the ME except the part that lets the computer stay powered on is fortunately now well-documented (NSA-requested HAP support).
Clearly there's some component of UEFI that's in firmware, right? I don't really know all the terminology and such here, so please correct my understanding, but -- even if you don't have a disk, you'll get some UEFI bootloader. I seem to recall that some devices like many Chromebooks will have some extensive EFI blobs in firmware partitions, at least some of which is a read-only "get back to factory settings if you really screw up" stuff. I don't see what could stop a vendor from putting whatever they want into a a read-only firmware EFI partition, I'm pretty sure they exist in the wild.
The Chromebook’s user partition is read-write, and the system is read only (save for updates). The “powerwash” factory reset just wipes the user partition. The OS restore (if you can call it that) is not stored in boot flash, just standard data/nvme disk.
If you wipe the whole disk, you still need to use a bootable restore USB to restore it.
This has nothing to do with the fact that it is UEFI booting.
