On most modern micro-controllers you can disable JTAG/SWD in production or gate access behind key verification. You can't disable undocumented commands. The issue here might be allowing persistent malware, like how some malware can hide in hard drive firmware. Unlikely, but still not good or indicative of good security practice.
