If your hardware is compromised and has a backdoor then none of your protections in your OS will protect against it. This is very dangerous and is why it is very important to use open source hardware with privacy in mind. These are near impossible to get.
Modern Intel CPUs come with a thing called a Management Engine. This is mainly used for businesses but can be used to compromise your computer. The ME has full access to memory, the TCP/IP stack, can send and receive network packets, can activate your computer remotely and is signed with an RSA 2048 key that cannot be bruteforced. The ME is completely proprietary so nobody can audit it.
AMD CPUs come with their own equivalent called the PSP. Many people claim that this has full access to your computer but none of these claims have any evidence it back it up. AMD has repeatedly refused to open source the code. This could indicate some kind of backdoor they don't want us to see but there isn't any evidence for this.
These can be used as backdoors into your PC and nothing can stop it. This is why we must use secure hardware.
Purism is a company that makes hardware designed with privacy in mind. Most of the hardware and firmware is open source and they have disabled the ME. The process they used is described on their website. Ordinary people cannot use this method as you need to be the manufacturer to do some of these steps.
The ME Cleaner is a python script the removes unnecessary parts of the ME. You can get it here.
Libreboot is an open source BIOS or UEFI replacement. It is a fork of coreboot which Libreboot deblobs. You can get it here. It only works on a few devices.
Talos II is a series of workstation and server computers made by Raptor Engineering. It uses 100% FOSS boot firmware. You can find more info on their website or you can read the Libreboot article.