Take a look at how Matter handles this; manufacturer certificate to vouch for hardware integrity which gets superceded by the fabric's root CA on commissioning (enrollment in the fabric).

This is basically the best we can hope for until we get nanofabs at home and can build our own secure enclaves in our garages.

Trust decision theory goes like this; it it were possible for the manufacturer to fully control the device then competitors would not use it, so e.g. wide industry adoption of OpenTitan would be evidence of its security in that aspect. Finally, if devices had flaws that allowed them to be directly hacked or their keys stolen then demonstrating it would be straightforward and egg on the face of the manufacturer who baked their certificate on the device.

Final subject; 802.1x and other port-level security is mostly unnecessary if you can use mTLS everywhere which is what ubiquitous hardware roots of trust allows. Clearly it will take a while for the protocol side to catch up; but I hope that eventually we'll be running SPIFFE or something like it at home.