There is Community-recommended computers list, which contains machines without coreboot.
Technically, if you can reflash your BIOS from the OS, anyone else with root access (in dom0) can do it, too (highly unlikely though). It’s fine to have a threat model not accounting for this.