Which is another reason we need to strip this hardware attestation stuff out of the hardware. It either needs to use exclusively keys the user loaded into the device themselves or the keys aren't on the device whatsoever and then the "high value targets" verify the contents of the drive from a known-clean machine once they get it back from the adversarial foreign officials before putting it back into service. Or better yet, keep a separate laptop on each side of the border and then sync the data over the internet instead of losing physical control over the device at an adversarial border.
Plenty of adversarial countries have a competent security service. A foreign government can compromise the corporation's root signing key for the devices through technical attacks and through bribery, espionage, physical intrusion, etc. And they're not going to tell you that they have before using it against your high value targets, so how do you protect them? By not relying on systems with a single point of compromise.