Blacken, where do you stand on 3rd party hard drives or RAM for a desktop or laptop computer?
To the best of my understanding (and this may not be true for PCIe-based storage solutions), nothing coming over SATA has a practicable attack vector into the CPU, to say nothing of the TPM (and if it was it would probably be specific to the board and the SATA controller), so I'm fine with those. RAM too, as RAM's connectivity is strictly electrical coming back down the bus and it's functionally inert. Both of those examples are peripheral devices; the system is designed (if not perfectly) to deal with bad peripherals. Similarly, I think that bricking an iPhone because of a replacement to an actual
peripheral, like a third-party Lightning cable, would be totally not cool. But I'm OK with bricking a laptop if somebody, say, replaces the southbridge on the board with something else, even though nobody's actually cryptographically securing that
right now; the only reason I can think of to do that is to fuck with somebody else, so err on the side of caution and shut it all down. I view the TouchID sensor as being much more like that than a third-party hard disk.
There's also the whole "this is a device, it is not a computer" thing about iOS that, frankly, I don't like, but that's one of the reasons that the only consumer OS I would trust with life-or-death data that absolutely under no circumstances could ever, ever be leaked is non-rooted iOS. It is a hard nut to crack, and this just makes it harder.
EDIT: Here's a rule of thumb that I just put together: if a component has its own processing capability, it should either be irreversibly mated to the system
or be treated as a peripheral and have all of its communication with the core system strictly controlled and dealt with through black-box-testable means. TouchID isn't that and can't be that without a significant redesign of the
hardware, not just a software flash, and so it's a difference in kind from RAM (electrical in nature, the actual brains of the operation are on the motherboard) or hard drives (SATA controllers aren't part of the hard drive). When it comes to more advanced peripherals, like PCIe stuff, I think that's where you can start expecting some technical knowledge and agency on the part of the user--if you use a third-party SATA controller on a PCIe board, I trust that you know what you're doing, and if you don't that's your own damn fault. (This is also why Thunderbolt worries me a little, as it's bringing PCIe external to the machine and I can think of all sorts of really dirty shit that an attacker could do. It's bad enough that people plug their phones into random USB outlets...)