I have two of these, the M7 model with 480 GB, and the M3 with 120 GB.

The M7 is running Qubes OS 3.2, and the M3 is running Qubes OS 4.0 RC 4 (with some complications).

By design the USB-ports are not activated until after you have begun booting the operating system. You can change this to boot from USB by entering into the BIOS and rebooting twice.
With maximum security set up, you need to enter a six-digit pin to even be allowed to present the key-fob for validation. Move the key-fob away far enough - adjustable in the BIOS down to five meters I think - and as the presentation explains, the machine goes into sleep-mode.

And with qubes you can also set it up to use a yubikey for login. The USB-ports are hardened and the Intel Management Engine is pruned, it's running coreboot and so various attacks using BadUSB are not possible. Also of course Evil Maid attacks are impossible.

In fact there is no point in even encrypting the harddisk with software; it is already hardware encrypted. If you want though, you could also set it up with LUKS-encryption using the LUKS-NUKE option, so that if the wrong password is entered the LUKS-header is wiped and the HD becomes undecryptable.

This is the perfect device for keeping data private, in fact it is not even a "Personal" computer, it is a PRIVATE computer.

Want to make an external harddisk completely and utterly safe? Encrypt it with LUKS and put the header plus keyfile on the ORWL.
Congratulations, your external harddisk is now indistinguishable from a harddisk with completely random data, it isn't even possible to tell that it IS in fact encrypted.

I'm planning on setting these up with various solutions for various customers, depending on their threat model and custom needs & wishes.

Any questions, feel free to ask.
It comes with either windows 10 (lol), ubuntu, or qubes 3.2 preinstalled but you are free to install whatever you want on it.
Also you may wish to purchase some special hardware to make the most of the fact that there are only two USB-C ports, such as a USB-C splitter to 4 connectors, one USB-C power only, one USB-3.0, and two USB-1.0.
And a powered Anker USB hub for the other USB-C port which has a USB-C to USB-3.0 connector.