Further, while only licensed device makers are permitted to modify Google’s AndroidTV, any device maker is free to make changes to open source versions. That leaves open the possibility that the devices were infected in the supply chain and were already compromised by the time they were purchased by the end user.

It’s ArsTechnica, so I wouldn’t think they’re intentionally spreading FUD around FOSS, but that bit did live a bad taste in my mouth.