It’s not impossible but I’d say it’s unlikely. This is not a scalable way to do bad things while it costs a lot. That’s why it’s typically reserved for targeted bad things. I.e. someone wants to do bad things to you specifically. For example if you’re an uncomfortable journalist. If there’s a machine put up on the wide second hand market for anyone to buy, it’s probably not one of those cases.

Just to freak you out, I’ve played around with the EC on my Framework, and it really wouldn’t be hard for someone to create a modified firmware with a key logger built in or something. But AFAIK the EC doesn’t have internet access or a way to screw with the OS, so it would be mildly pointless without accompanying software.

Modifying the BIOS seems slightly more difficult, although I think some Frameworks are still vulnerable to LogoFAIL.

I wouldn’t worry about extra chips, they’d either be quite noticeable that they shouldn’t be there, or too expensive to be wasted on a stranger.

So the chances are, unless you’ve got some proper enemies, it’s fine. I’d definitely update the BIOS (which also updates the EC), and fresh install Windows/Linux, but that’s as far as I’d go.