Re: 'None of the actors can be taken at face value
With silicon thinning (already used for HBM stacks, for example), you could easily stick the silicon into the motherboard substrate, between standard layers. The bulge would be imperceptible, and the thin silicon might not register for x-rays or other hardware scanning solutions.
I presume this chip is installed onto a serial data link to the flash memory, and on power on it intercepts the serial bitstream from the flash, and adds enough to install its payload.
The hardware security solution to this is on-board flash and memory on the server management processor, preferably on the same die, made with security hardening techniques.