> The device can default to booting software signed by the manufacturer but the user should always be able to use a physical key to unlock the device and install his own keys and certificates instead.

This part is not going to happen, because security services need their backdoors intact. If you supply user with keys, they might flash the device with more secure operating system rendering any surveillance effort fruitless.

If I worked in a European intelligence agency, and considering how the the official US security policy revolves around bringing about regime change in Europe in support of far right extremist parties, and how supportive the tech company leadership seems to be of those goals, I would probably think that locking that very real existential threat to their democracies out would be a worthwhile tradeoff.