Yes, although now the Mac is as secure as any PC with UEFI Secure Boot (and no Intel ME), which isn’t necessarily the end of the world if you have a long firmware password (which protects the Recovery Mode secure boot utility) and login password (which protects FileVault). If you’re in a position where you could be compromised by a state actor or a hacker group (that can find a public flaw in Secure Boot that isn’t just turning it off), perhaps throw away your Mac, but everyone else should still be “okay”.
Part of me wonders if there could be a way to permanently disable DFU mode (preferably outside of epoxy in the upper left USB-C port). That would prevent someone from jailbreaking the T2, albeit you would no longer be able to replace the SSD or Touch ID sensor (not that you’d want to anyway if you were at risk).
Unfortunately, physically obstructing the primary port would not completely prevent DFU from being accessed. With the aforementioned accessory device, the ACE Type-C controllers within Macs can automatically reroute the DFU, DCI, and PCH/T2 UARTs to any of the other ports, irrespective of the T2 and PCH. Apple uses this technique as part of their factory test harness.
