This is a problem of bad engineering: not using an immutable OS firmware model with a spare.
There ought to be 3 physically-separate flash devices: bootloader (never changed), OS (managed by bootloader - updates deleted unless signed correctly), and data (wipeable by a physical reset button).
If you don't do this, then you're inviting implants a priori.
There ought to be 3 physically-separate flash devices: bootloader (never changed), OS (managed by bootloader - updates deleted unless signed correctly), and data (wipeable by a physical reset button).
If you don't do this, then you're inviting implants a priori.