it appears you misunderstand a bit what the difference between those two machines would be in terms of security. In fact it is likely that you would be able to neuter/disable ME on the T490 (not trivial, but doable).
What a NitroPad X230 will provide you is a lot more than a neutered/disabled ME.
Tamper Detection Through Measured Boot
Thanks to the combination of the open source solutions Coreboot, Heads and Nitrokey USB hardware, you can verify that your laptop hardware has not been tampered with in transit or in your absence (so-called evil maid attack). The integrity of the TPM, the firmware and the operating system is effectively checked by a separate Nitrokey USB key. Simply connect your Nitrokey to the NitroPad while booting and a green LED on the Nitrokey will show that your NitroPad has not been tampered with. If the LED should turn red one day, it indicates a manipulation.
coreboot is an extended firmware platform that delivers a lightning fast and secure boot experience on modern computers and embedded systems. As an Open Source project it provides auditability and maximum control over technology.
Heads is not just another Linux distribution – it combines physical hardening of specific hardware platforms and flash security features with custom coreboot firmware and a Linux boot loader in ROM. This moves the root of trust into the write-protected region of the SPI flash and prevents further software modifications to the bootup code (and on platforms that support it, Bootguard can protect against many hardware attacks as well). Controlling the first instruction the CPU executes allows Heads to measure every step of the boot firmware and configuration into the TPM, which makes it possible to attest to the user or a remote system that the machine has not been tampered with. While modern Intel CPUs require binary blobs to boot, these non-Free components are included in the measurements and are at least guaranteed to be unchanging. Once the system is in a known good state, the TPM is used as a hardware key storage to decrypt the drive.
So when running Qubes OS on a T490 even with neutered ME, you are still subject to “evil maid attacks”. Yes, there is AEM, but that in turn relies on ME … so clearly Coreboot/Heads plus a Yubi/Librem/Nitrokey are far superior.
Make sure you understand the implications before making your decision. I personally “downgraded” from a ThinkPad P51 to a ThinkPad T430 and modded it myself to be the security equivalent of a NitroPad T430. Technically the CPU is slower and I have less RAM, but I find the difference almost negligible. Especially if you invest in a decent SSD and use minimal templates. However from a trust perspective this is far superior!