"TL;DR: all recent macOS devices are no longer safe to use if left alone, even if you have them powered down.
The root of trust on macOS is inherently broken
They can bruteforce your FileVault2 volume password
They can alter your macOS installation
They can load arbitrary kernel extensions"