Fair enough. I just operate under the assumption deleted means deleted, I’d never toss Auth keys in userspace but I could absolutely see myself placing them temporarily in scripts I’d delete later.

Honestly this should be treated as a security vulnerability as well as a general bug, no?

It’s likely done in an automated way by the same equipment that tests the hardware, so costs are probably more along the lines of a few fractions of a penny, and imo shipping any device without an os at all is a bit silly as they could very likely end up in the hands of someone without the capability or equipment to image them.