Disabled? Yeah, right...
What everyone seems to be overlooking here is that "disabled" is not really "disabled". The ME is integral to the x86 boot process and always, always runs.
What Purism is using here is the kill switch for the second level of ME services, akin to userspace on a normal Linux computer. The ME kernel still runs and is still required for bootup, even if it goes offline afterward. This means the machine is still just as vulnerable to preinstalled / evil maid type malware targeting the ME as it ever was.
Purism really needs to be more clear on just what they are doing. They keep making grandiose claims that are not 100% true and compromising everyone's security as a result.