The whole excuse for the vendor keeping control of "your" computer via the ME/PSP was so that physical access wasn't game over. At minimum this is a complete failure of the original purpose, and worst case is that it actually reduced security versus not having it there at all.
Plus, in this case, physical access isn't even required. Just some means to "update" the BIOS (PSP + UEFI + Agesa) back to the vulnerable version, which remains signed by AMD and valid to the hardware's signature checks as far as I know...