Well, yes, it is always possible that there are bugs. If there were known bugs, they are likely to get fixed.
Once you admit the possibility of bugs, you can’t make a theoretical comparison of security because anything can be completely flawed if it has bugs. (For example, advocates of a trusted boot path would have to admit that you no longer have any such thing as a trusted boot path if there is a bad enough bug in the code that implements it.)
I don’t think bugs are a very profitable avenue to discuss since bugs are by definition unintentional (except when they are intentional ) and have no bound on how severe they are in their effect.
People bagging it out in that way are probably advocating for a trusted boot path i.e. you can only run software that some Big Tech company or companies somewhere in the world decide you can run - or, even worse, on top of that, your government using leverage over said Big Tech company or companies therefore also decides what you can and cannot run.
So it comes down to wanting freedom and control over your own life … or not.
There is definitely a theoretical discussion to be had on this issue (trusted boot path) but if a trusted boot path is incompatible with your values then there is no discussion to be had.
Pureboot with a Librem Key is a philosophically different approach. It should offer the same level of integrity as a trusted boot path - but it puts the control and responsibility onto the customer. Instead of Big Tech companies signing things, you do.
I think someone would have to demonstrate an actual attack, which would make for a concrete discussion. I dare say that if there were known remote attacks, they would get fixed very quickly.
Remote attacks are difficult against the early boot process because the network isn’t even up (depending of course on what you mean by “remote” - I mean a nearby attacker might have more success against Bluetooth if you choose to enable Bluetooth in the early boot - as you may have to do if you have a Bluetooth keyboard).
There are a whole range of concerns about Intel’s homunculus CPU that might allow network attacks (remote attacks) before the computer even boots. Those concerns would seriously undermine all approaches to boot security - so I believe that the Librem 14 (and other Purism laptops) would leave that ethernet unconnected and have a separate ethernet for actual use.
My guess is that eventually Intel will extend those concerns to wireless networking.
For the Librem 14, yes. Someone with physical access can change the firmware. Someone with physical access to the Librem Key can presumably do bad things to it. So you should retain custody of your devices at all time.
It is usually the case that someone with physical access will find a way to compromise your computer.