$30 gets you the equipment needed to dump, modify, and re-write the firmware, clearing any firmware password.
And it doesn't matter, even if they did, you could modify the firmware on flash to bypass the checks.
There is nothing stopping someone with physical access from removing the firmware password via SPI flash.
It is a fundamental flaw of x86, IMHO, that there is no Boot ROM (BROM) which can perform signature/integrity checks on the UEFI firmware. ARM has this, x86 does not.