> Did they ever fix PCIe over thunderbolt security?

It seems to depend on whether you're on a desktop or mobile device. [1]

> macOS 13 Ventura was released in 2022 and for portable Macs with Apple CPUs Apple introduced a feature known as ‘Accessory Security’ (also known as ‘Restricted Mode’)

> By default, portable Macs (i.e. laptops) with an Apple CPU running macOS 13 Ventura or newer version of macOS will require the end user to authenticate and approve a Thunderbolt device when initially connected.

> Stationary Macs (i.e. desktops) with an Apple CPU running macOS 13 Ventura or newer version of macOS do NOT implement the ‘Accessory Security’ feature. As a result, Thunderbolt devices will be automatically approved and authenticated when initially connected.

Anecdotally, I have had Dell and Lenovo laptops with Thunderbolt and in Linux I had to manually approve each new device before it would function. [2]

[1] https://kb.plugable.com/docking-stations-and-video/do-i-need...

[2] https://wiki.archlinux.org/title/Thunderbolt#User_device_aut...