It would also help if there was a standard header on the mainboard that you can use to verify all of the flash chips when the computer is powered off to minimize the amount of the computer you have to trust.
While some may argue that this header would be the perfect place to install a implant, doing so is vastly harder than popping some manufacturers computer. Also, since the header will be specifically checked by some users, it becomes a very risky place to install an implant.
I think it would be easier to do it safely if you made it so that the number of chips to be flashed was small and they were easy to pop on and off the motherboard. I grant that this is more work to use than a single master connector, but it removes that point of vulnerability both for undermining the ability to flash things and the massive backdoor that is a single port with the ability to reimage every chip in the machine.
Ideally the write enable line of the flash chips would be hooked up to their respective application processors, so when you are reading them via this header they will be read-only as the processor would still be powered down. For an adversary that is able to remove soldered chips there isn't much you can do without going completely custom for everything.
Having sockets would increase the costs ($1-20/flash chip) and doesn't raise the sophistication level of the attacker from unskilled labor (literally anyone in the chain of custody) to skilled labor (eg: someone that can do SMT or BGA rework).
I've recently reflashed BIOS/UEFI chips by soldering plastic-ended jumper wires (easier to work with than regular breadboard wire) directly to the BIOS chips, and plugging the other end to a Raspberry Pi's SPI host pins and running flashrom. It's definitely involved to learn and tricky to pull off (like any form of complex soldering), but much lower in equipment costs than desoldering surface-mount flash chips (which I hear requires hot air to do without damaging the chips or board).
While some may argue that this header would be the perfect place to install a implant, doing so is vastly harder than popping some manufacturers computer. Also, since the header will be specifically checked by some users, it becomes a very risky place to install an implant.