The answer is as old as the hills, it's been used on mechanical devices ever since they got to be capable of amputating fingers. A scabbard for a knife or sword, a safety catch on a firearm, ....
In electronics form, it's the WRITE ENABLE switch, which I first saw on a DEC exchangeable-platter disk drive storing all of 20Mb on 15-inch FeO2-coated platters.
It doesn't have to be a switch, just something that can be done by the owner, given physical access to the hardware, and never by a piece of malicious software (at least, not until the hardware is a robot, in which case we'll have to re-discover what for a human is the small of his back).
Anyway, for a PC motherboard, there should be a SECURE BOOT DISABLE jumper, just as there is a password disable jumper for the better modern BIOSes. For other smart devices, something similar, requiring a simple but nontrivial amount of fiddling with the device.
For manufacturers worried about warranty returns, it might even be a one-way trip - protect the switch or jumper with one of those "warranty void if removed" security labels. Two levels of the same idea.