Comment by heavyset_go

Your firmware and UEFI likely accept MS keys even if you supplied your own for Secure Boot. Sometimes the keys are unable to be removed, or they'll appear "removed" but still present because losing the keys could break firmware updates/option ROMs/etc.

Similarly, your TPM is protected by keys Intel or AMD can give anyone.

If you want to extrapolate, your Yubikey was supplied by an American company with big contracts to supply government with their products. Since it's closed source and you can't verify what it runs, a similar thing could possibly happen with your smartcard/GPG/pass keys.