Sure. This would seem to imply hardware vendors having prior access to the ME. The vast majority of users don't flash their BIOS with custom firmware, simply using whatever firmware the vendors give them. Users having the ability to install their own firmware would mitigate this risk, at the expense of a riskier overall ecosystem.
