To give you some understanding of my Qubes OS hardware criteria years ago, it was based on three requirements:
- Anti-interdiction
- Hardware kill switches
- Coreboot
I decided the Purism Librem 14 with PureBoot Bundle Anti-interdiction was the best option for me at the time:
My root of trust is solely based on my own judgment, so I value any opportunities where I can reduce and/or eliminate trusting any third-parties. This article from @maltfield explains Trusted Boot and its contrasting models:
I will mention that who and/or what you trust will determine what options are best for you against your threat model, so I cannot necessarily provide suggestions until your order of priorities are known. Even though I may only use gratis and libre open-source software in my workflow, that does not necessarily apply to firmware and/or hardware due to lack of options, resources, and/or updates.