first off chill out, Jason Bourne.

the threat mitigation is handled based on your threat model, not on a “defend all bases against anyone” approach. once you answer what your specific model is, then you can start building your defences. if your threat model is spouse looking through your shit, a password is more than adequate. if it’s the border nazis CBP, you go for encryption at rest. if it’s a toddler walking around the house smashing stuff, none of those will do you any good.

there are people with complex threat models but I doubt they post on lemmy and they def don’t scour the classifieds for used Thinkpads. the idea that there are threat actors out there infecting random devices and then see what they catch is… def possible, but highly unlikely.

you’re perfectly safe using a 2nd hand enterprise-class laptop, like a Thinkpad, Elitebook, or Latitude, wiped clean. those are tough and resilient devices built for road warriors for everyday, heavy use. the good thing is, they get periodically swapped out for new models, so they can be had for cheap, and a huge majority of those haven’t seen a lick of any significant use.

those devices are worlds apart from the laptops you’re advocating buying (I assume you mean the consumer-class models) and definitely way cheaper, like a couple times over, while being infinitely expandable and serviceable with cheap, widely available and cross-generation compatible parts.

the final part is compartmentalisation and fungibility of devices. keep the minimum stuff you need on there, assume they will break, get lost or stolen, so encryption is mandatory, and have a tried and tested backup and restore procedure in place.

I’ve noted the product families specifically and what I wrote applies to them only, not every used device everywhere.