“Intel Boot Guard is an ME application introduced in Q2 2013 with ME firmware version 9.0 on 4th Generation Intel Core i3/i5/i7 (Haswell) CPUs. It allows a PC OEM to generate an asymmetric cryptographic keypair, install the public key in the CPU, and prevent the CPU from executing boot firmware that isn’t signed with their private key. This means that coreboot and libreboot are impossible to port to such PCs, without the OEM’s private signing key. Note that systems assembled from separately purchased mainboard and CPU parts are unaffected, since the vendor of the mainboard (on which the boot firmware is stored) can’t possibly affect the public key stored on the CPU.”

From libreboot faq. There is precedent for this and it just hasn’t been heavily exercised, yet

Unless you build the hardware you cannot prevent this from happening. It’s merely a question of how long until 99% of tech devices are basically iphones and you need a very restrictive “developers license” to buy the (likely extremely expensive) 1% that are not that puts legal repercussions on you if you do anything that they do not like