> I'm almost at the point where I consider any type of firmware update for anything to be actively hostile and to be avoided if at all possible
I reached that point a number of years ago. I've more recently reached the point where I feel the same about software updates generally, not just firmware ones.
A software update all too often means that the main thing you bought the software for is nerfed or removed.
I have archival computers that I maintain specifically for this. I can run nearly every AI/ML software released since 2018, on the operating system it was designed for, with the correct libraries, and drivers. No docker. All on the metal.
I do use venv, but that's so I don't pollute the system with libraries.
I disallow internet access, too. That is, I don't put a gateway or DNS server in, but the LAN works.
I reached that point a number of years ago. I've more recently reached the point where I feel the same about software updates generally, not just firmware ones.
A software update all too often means that the main thing you bought the software for is nerfed or removed.