Presumably Pureboot contacts the TPM chip to validate that you entered the TPM admin password before letting you change Pureboot settings or overwrite Pureboot.
The documentation isn’t clear whether you can turn off USB booting. I know that it can be done in Seaboot, but I don’t have a clue about Heads/Pureboot and I don’t own a Librem 13/15 to check. Probably this is question for @MrChromebox.