There are some workaround against IME, and Purism and System76 sell laptops with the IME disabled. They all have Intel laptops, though, not sure how things look with AMD.
Purism aren't safe.. it's an overpriced gimmick. You can't disable IME with the modern CPU's that are used in Purism laptops. It's a workaround with Coreboot but you still have Intel's propietary binary blobs. There's no workaround, you need old hardware, and you need to do the hardware changes I said, if you want to use Intel and be as private as possible. You need Libreboot, not Coreboot, and thus you are limited to a very small array of hardware. Same applies for System76. They are using i5s and i7s.
With AMD there's nothing to do, other than buying older hardware.
right, but if you use that old equipment that Libreboot will run on with it's fully free software/open source firmware,
then you're still susceptible to CPU microcode flaws that are no longer fixed for those old EOL'ed hardware platforms.
I agree with you both on all points though. Unfortunately, everything hardware related is a compromise right now, the only fully free
new platforms are POWER8/9 (expensive, and IBM are not easy to trust), and RISC-V (expensive, and underpowered, and sponsored by the usual rogues gallery of Intel, Google, IBM etc)
I've opted to: do almost nothing, buy cheap hardware and very infrequently