Alas, it is so. Graphics cards have much the same going on. It's part of why Nvidia will likely never opensource or mainline their drivers... They have a huge need for blobs and hardware backed secrecy in order to enable most systems to be compatible with HDCP. That means they need to be able to attest to their cards having not been compromised since leaving the factory.
As someone could in theory cobble together an HDCP compliant rig and good heavens, might be able to intercept and decode HD content!
So much of what makes the tech giants so lucrative is that they act as centralization points for industry level orchestration of what user behavior to support.
You can bet that if an industry working group is stoked, there's likely hidden in there somewhere an implementation detail intended to curb an undesirable user freedom or general capability.
The biggest difference is that graphics cards don't have network access. Without network access, proprietary code can be an annoyance, but won't be an outright compromise.
(sure the code could still do nasty stuff like facilitate tempest or other sidechannels, but that's leaps and bounds ahead of the built in assumed-RCEs of ME/PSP).
It can be used for 'out of band' management of your system, including firmware/bios rollouts and updates. Allows remote hijacking of attached hardware devices. Basically can puppeteer your entire system.
> why can't we do anything about it?
Because there is no ability to update or modify this code. It is only updatable by the hardware vendor as it is encrypted, signed and checked during update.
