To be fair is it any worse than the RPi4B which uploads the VL805 MCU firmware blob (which I’m guessing is encrypted) via a mailbox request to the Videocore OS in the event of a reset, using non public firmware load logic. (ref: Open-Source Status of VisionFive 2 - #7 by mzs )
The problem is that there are no PCIe to multi port USB 3.0 host controllers that are opensource (high quality and cheap), as far as I know.