FWIW, as suboptimal as this firmware update situation is, it’s still better than the situation I was in with my ThinkPad. In order to update the BIOS on that, I had to download a file that I had no way of authenticating, use a Perl script that I had no way of authenticating in order to convert it into the appropriate image type, copy it onto a USB drive, then boot from that. At least now I’m not manually downloading all sorts of untrusted files and running scripts I found on the Internet to convert them myself. Instead, my downside risk is basically that, with respect to firmware updates, I’m in the same position as people who actually use Pop!_OS or Ubuntu as their main operating system (except it’s not even that, because I’m not using it for anything except firmware updates, so there are far fewer opportunities for the installation to be compromised.) Oh, and it was even worse once my ThinkPad stopped receiving BIOS updates entirely, since then I simply had no way to patch known vulnerabilities.