well, my flippant answer is also I think the right one: I don't see a way to build a system I'd trust based on x86 or ARM CPUs any more, and that's why I'm putting all my work into riscv. RISCV is not real, yet, but it's getting there, and the x86 situation has only gotten worse, not better, in the last dozen years :-(
For reasons I don't quite understand, ARM Inc. has decided the x86 model is the right one for ARM v8, and are diving into the UEFI/ACPII tarpit just as deep as they can. I don't understand their thinking.
I don't expect any of this to change; I expect it to get worse. And riscv is no guarantee, either: there are some things built into that architecture that can support vendor mischief, the main one being the requirement to do BIOS calls to do trivial operations, such as enable and reset timer interrupts, or find out your core id. Further, vendors like Red Hat are pushing hard for UEFI and I assume ACPI as the RISCV standard, for reasons I still don't understand. But it ought to be possible to build RISCV systems that are much more trustworthy than the x86/ARM systems.
ron