You have to ask how many heads of state, terrorists, drug lords, business tycoons, etc. are using Librem laptops, that an agency like the NSA (or the equivalent in the Chinese government) wants to spy on. My guess is that not that many high value targets are using Librem laptops, and an agency that wants to spy on key people is going to target the supply chain of companies like Apple and Lenovo, before it wastes time on a laptop maker that only sells a couple thousand laptops per year where there is a high probability of its spying efforts being discovered and publicly reported.
At any rate, the L14 is being built by a new OEM, so if some agency had compromised the supply chain and figured out how to insert spy chips in the L13 or L15, it will have to start over from scratch with the L14. It has never been reported exactly how the inserted spy chips work, but it took the Chinese government years to target the Supermicro servers, and they had strategic value (if we can believe the veracity of Bloomberg’s Supermicro story).
The L14 has a hardware switch on its motherboard that prevents any changes to the firmware or BIOS/UEFI. (I doubt that this switch would prevent firmware changes to isolated components, like the M.2 Atheros ATH9K WiFi/Bluetooth card or the SSD.)
You can detect whether anyone has opened the case (and potentially flipped that hardware switch) by painting glitter nail polish over the screws in the case and taking photos of the glitter patterns on the screws. It the nail polish is broken or the glitter patterns have changed, someone has opened the case.
If you fear tampering in transit from Purism to you, you should pay for anti-interdiction services. The NSA reportedly tampered with Cisco routing equipment when it was shipped from Cisco to customers.
Purism selects components that have free software drivers, and most Linux distros will automatically install the free driver instead of a proprietary driver, if a free driver is available. (By the way, proprietary firmware is far more likely than proprietary drivers.)
You can always run vrms to find out if you have any proprietary blobs on your system. For example, it is installed on Debian-based systems with this command:
sudo apt install vrms
There was a problem with linux-libre kernels not getting security updates, but the Debian kernels used by PureOS have never been linux-libre kernels and they get the standard Linux kernel security updates. Librem laptops are based on Coreboot, and unlike Libreboot, Coreboot is incorporating Intel’s recent security updates. (Google has a strong interest in keeping Coreboot up-to-date and secure since it is used in Chromebooks and Intel employees contribute to Coreboot.)
The only proprietary bits in PureBoot+Heads and Coreboot+SeaBIOS for the L14 is the Intel Management Engine (which is disabled), FSP (Firmware Support Package) and Intel’s microcode. (The proprietary VGA BIOS has been eliminated.)
I don’t know what is Purism’s policy regarding security updates to those blobs, but I do know that Librem laptops get the latest Coreboot images very quickly after they are released by Coreboot and Coreboot releases come with the most recent blobs from Intel, so as long as you keep updating PureBoot/Coreboot, you should have the recent blobs from Intel. For info on updating PureBoot/Coreboot, see:
https://docs.puri.sm/PureBoot/GettingStarted.html#updating-pureboot-firmware
The hardware switch on the L14 motherboard should stop unauthorized changes to the firmware.
If you have PureBoot + the Librem Key, then if the Librem Key flashes green while booting, then the TPM and BIOS haven’t been changed. If it flashes red, then something has been changed, and they have potentially been “infected”. These articles provide a good overview of how Heads and the Librem Key work: