Yeah, I think it is prudent to be extra cautious of any black box which is security specific, from closely government connected vendors (staff, sales). A CEO would probably be sued by shareholders, or even go to jail, for refusing an extralegal polite request from their 95% customer. (Gov and gov connected banking) to back door devices going to public enemies.

The solution is end user verifiable designs. Harder with hardware, but there have to be ways to do it. The risk is highest for single purpose vs general purpose devices. If safenet hsms aren't owned as fuck, I'll eat one.