If you don't mind: given your background, as a personal sanity check for me, would you recommend a Lenovo ThinkPad for sensitive use cases?

Not the person you’re replying to, but things like the Intel Management Engine and the AMD equivalent are very powerful software on pretty much any laptop, that people consider close to back doors.

If you really need secure hardware, a librem laptop (iirc the right name) with openboot is the best.

However if you aren’t dealing with state secrets, any average computer is likely good enough. Just steer clear of unheard brands that sometimes have shady installers (there was a recent incident but it was an unheard brand name).

Thanks, I guess I should be specific about threat modelling.

Let's say I am a sensitive US gov worker or contractor, or I work on state of the art tech/research in the USA. (all juicy targets for the CCP)

I would be correct in thinking that Intel Management Engine is likely NSA pwned, and likely not CCP pwned, correct?

Generally, yes, as Intel is a US company.

That is of course assuming that the CCP didn't reverse engineer or crack it or hack NSA and also have access.

I think you will be better served by articles/blogs by the likes of librem and amnesty (I'm thinking of the group that found pegasus, I think it was some other human rights org from Canda?)/eff. Those guys will have better suggestions to harden your device. Also - ask your IT guy, or the IT guy of the US govt dept where you're working for their best practices.

Hacking risks can either be specific (eg Bezos being personally targeted) or a catch-all (eg stuxnet) where they target your entire department. If you're just one of hundreds of contractors you're likely in the second category which is relatively easier to protect yourself from.