Just to freak you out, I've played around with the EC on my Framework, and it really wouldn't be hard for someone to create a modified firmware with a key logger built in or something. But AFAIK the EC doesn't have internet access or a way to screw with the OS, so it would be mildly pointless without accompanying software.
Modifying the BIOS seems slightly more difficult, although I think some Frameworks are still vulnerable to LogoFAIL.
I wouldn't worry about extra chips, they'd either be quite noticeable that they shouldn't be there, or too expensive to be wasted on a stranger.
So the chances are, unless you've got some proper enemies, it's fine. I'd definitely update the BIOS (which also updates the EC), and fresh install Windows/Linux, but that's as far as I'd go.