see Disabling ME on the T480 (and other laptops)
There is not an 1vyrain equivalent for xx80 series ThinkPads yet. You should be able to flip the HAP bit. The HAP bit was uncovered by Positive Technologies. Another thing you really want to do is not use Intel wifi chips which are designed to make the Intel ME accessible via wifi. ThinkPenguin wifi are what most people concerned with Intel ME/AMT aka “vPro” reach for. Some have pointed out that Intel ME/AMT can have drivers for the Atheros chips in the ThinkPenguin wifi chips. These users dedicated a small singleboard computer to proxy networking.
I have read extensively on various darknet imageboards that the only thing resembling a reasonably secure system involves multiple boards (multiple computers) working together. I am sorry that we don’t have nice things.