There is another varient of why an update might pose a threat after purchase

If we're talking about an otherwise free OS, they'd need to compel the manufacturer (to modify and sign the update) and also whatever third party channel is used to distribute that (either a distro or the LVFS). There's various ways we could mitigate this (additional parties hosting hashes of each update, remote attestation of the service so we can verify we're communicating with something running the published source code, that kind of thing) if it feels like a sufficient therat.