Many corporates are fine with pulling down files to a bastion host behind firewall and building over to other non internet connected hosts from there. Swapping random storage devices (that have own cpu + firmware) among random machines, is probably more risk than an SCP pull connection over lan. Reproducible builds from OS vendor site, and friends East and West, can help verify the final pluggable boot and run media before perma stuffing it in the system. Then people play around with keygen, airgap, etc. Given the hardware is all closed, and software is bloated, cost to verify a system to any given book standard quickly become moot vs risk. Security is a continuum of tradeoffs, there are no absolutes. Besides NSA, who has available protocols and data rates for... 'dd /dev/urandom /dev/LCDscreen' --> air --> 'dd /dev/camera /dev/null' Somebody already did lavalamp datarates. But the above is different camera target and use case. New PCIe-USB port mashups... direct to ram/cpu like old firewire... security insanity.
if your main system were already infected?
Give it to Juan to smash with his ragehammer.