If I would have to guess this is more mundane than it first might appear, and probably a good security precaution. Rather than pushing out one, two or three ssh key pairs that have the private key pair running on some part of spacex CPE provisioning infrastructure that has access to millions of CPEs, they've got a more specific series of keys (perhaps by serial number of terminal produced, or production date?) where the management infrastructure has access to a much smaller number of terminals. Whatever they're doing with the private halves of those SSH keys can be compartmentalized.