To that end, they recommend someone steps in to offer audits of the supply chain and catch potential security and privacy threats in bundled software.
Too little, too late. The recommendation should be that pre-installed/bundled software must be removable by the end user. Just "disabling" is not enough, as it could be re-enabled by something else and wouldn't free up the storage.
At least there are now choices with no, or hardly any, bundled crap.