Security is about controlling risks in your threat model. There is nothing particularly complex about what they’re doing that isn’t already being done. It simply requires more effort and will be costly to retrofit them properly if they need any hardware changes on the device side. The fact that they can’t open up access to other authorized parties actually shows how poor of a job they’ve done and susceptible to compromise they are. The AG’s complaint actually details multiple AuthN/AuthZ models that the EFF helped them describe in their amicus brief! They’re simply putting up a fight because it’ll be expensive.