> but if you have admin access to the BMC you can access the console, reboot the machine into single-user mode or even into another OS entirely, and then implant any malware you want, wipe the storage, etc.

True in the common case, but this can/should be guarded against by disk encryption and secured boot chains.