We have photographic evidence of the NSA intercepting Cisco routers. I'm not sure the country of origin matters if you have a red spot painted on your back.
What's being proposed here - as an alternative solution to mass-produced Chinese equipment of unknown trustworthiness - is to purchase different mass-produced Chinese equipment of unknown trustworthiness.
Your example of highly-targeted physical interception by state-level actors is irrelevant here.
You are really bringing your own OS here. The nanopi can run mainline linux and u-boot[0]. If you suspect an Intel ME-style component with ring -3 access, it should show up in the initialization sequence - there are no blobs here. Features like these are not cheap to implement, especially when Chinese vendors are so keen on cutting costs.
Essentially, this means that there is zero risk, unless you are a target, at which point any unintentional hardware bug caused by the aforementioned corner-cutting will become a concern.
How do you guarantee there isn't some logic flashed onto the chip that overrides the bootloader sequence?
btw, I asked about this 5 months ago [0] and got some interesting replies. I ended up purchasing a PCEngines board (just before they went out of business)
From what I've seen, networking peripherals you can attach to a Pi via USB, or whatever, can't really compete with networking peripherals in routers that are integrated on SoCs/SoMs.
I figure people are using them for router things, like using it as a wireless AP and switch, and the hardware available for those use cases usually fall short of what's available on router SoCs.
