Why does that matter at all? There's no persistence granted by the debug commands. When you flash it with your firmware, it's clean. If you trust the firmware that ships, they can do arbitrary code in it, so why care about a few debug interfaces?
You're not responding to the full statement. Grandparent was saying that a supply chain attack is not possible with this exploit ("exploit", I guess -- again there's no security boundary being crossed here), not that supply chain attacks don't matter in the abstract.
