There are a few potential attacks if it were possible to remove the PIN, one of the most trivial to understand being the supply chain attack. Someone could resell a used unit as new by resetting the device and resealing everything. They could buy the device, flash a modified (insecure) firmware, remove the PIN and sell it to a victim. As far as I know, you need to set it up once (thus also seting a PIN) to flash a custom firmware.
How does a non-technical person verify that it's a genuine Foundation Passport hardware wallet with a genuine firmware? You mentioned supply chain attacks, and since I only have experience with Ledger, I know that a fake Ledger device can't connect to official Ledger servers. So if someone in the supply chain replaced the HW with a fake one or made modifications to it, I wouldn't be able to use it with the official software. How does it work with Foundation's HW?
JL0 correctly linked to the guide from Foundation Devices about supply chain validation, which they urge you to go through during setup. They obviously also have some packaging protection as highlighted in my unboxing.
Honestly, relying on some server seems like a pretty bad way to ensure a device is legit, alone for the fact that you won't be able to set up a ledger if they shut down this server.