"The mechanism for initiating execution of this alternate set of instructions is as follows:
1. Set the FCR ALTINST bit to 1 using WRMSR instruction (this is a privileged instruction). This
should be done using a read-modify-write sequence to preserve the values of other FCR bits.
2. The ALTINST bit enables execution of a new x86 jump instruction that starts execution of alternate
instructions. This new jump instruction can be executed from any privilege level at any time
that ALTINST is 1."
So to turn on the ability to execute ring-0 non-x86 instructions from ring 3, requires an initial privileged instruction. I believe (from other commenters) that the issue arises because some of the cpu's left the fab with ALTINST set to 1 by default. Meaning, no privileged instruction required. Clearly, that's a fuck-up somewhere.
I'd call it a glaring design flaw. And if very, very few users might notice that documentation, then I'd call it a backdoor hidden in plain sight. For all intents and purposes it really is a backdoor.
You're being either overly generous to Intel or you're underestimating how well funded some of the espionage organization really are. And consider that for decades espionage organizations have been taking advantage of bugs in commercial products. This is so well documented at this point that it's not even worth arguing. Personally I believe this has been going on since the '70's.