Sure, but there is no evidence of that, so why even bring it up as an example/excuse as to why anyone would argue this way? It is totally unfair to assume that the content has not already been signed prior to distribution without evidence.
> If the USB stick accidentally contains private keys for signing, that might be of concern.
That would still be a problem if the updates were only distributed to repair shops, however (you'd need someone on the inside, but given the number of people involved, that probably wouldn't be too hard).
The more important concern is the phishing issue.