There isn't any lock-in using a Helm. You can always access and export your data on the LAN using standards-based clients to get your data wherever you'd like it to be.
Great for laptops/desktops, horrible for servers. You would have to be present for the challenge/response on a reboot. Also, doesn't solve the secure boot issue. FDE w/o secure boot isn't particularly useful.
There is an ongoing cost for email to work (static IP, DNS, tunneling for traffic) - this is why there is a subscription. It's not very complicated or malicious.
If a customer doesn't want a subscription, they can still use the Helm on their local network and get access to all their data. Running without a subscription is not something we currently support because of a lot of variables that can prevent email from working consistently, creating a heavy support burden (which is costly) along with bad customer experiences. It's best for people wary of a subscription to go down the DIY path (and we end up with a lot of DIY switchers once they realize how much effort it is).
A workaround is to set up a desktop email client - allow it to fully sync, then use the desktop email client to export your email and import to another account.
Google rate limiting and restricting access to your own data is pretty awful. They are similarly terrible about OAuth permissions for 3rd parties - some companies are allowed to export data on behalf of customers while others are not.
Would love to see what documentation you have around both of these points. I have not seen anything that indicates the SoC for the Pi supports eFuse or any other OTP storage.
Great questions:
> - How to ensure the hardware is not chipped with some low level spyware?
We use a verified boot process to ensure trusted bits are running on the HW.
> - Can we install stuff on this machine? How is the upgrade process working? Do we have root on the machine if need be?
Not yet - but we are planning for customers to be able to run their own services in the future. We have quite a few updates to do before we get there. The upgrades happen OTA, seamlessly in the background. There is no root access on the machine locally or remotely.