Can any model of Raspberry-Pi hold malware outside the SD?

Question

Suppose I acquire a second hand unit, or maybe I lend mine to a friend. Can I be reasonably sure the unit hasn't been malwared?

Consider the nightmare scenario. My friend borrows my Raspberry Pi but I keep my SD card. He adds his own SD card, starts up the device and because reasons, visits all the dodgy websites, downloads many dodgy executables and runs them all. The machine is running all the botnets and it's terrible. Finally, he unplugs the power, removes his SD and returns the device to me.

I put my own SD back in, power it up and log into my bank. Am I going to have a problem in this hypothetical?

Reading another question it seems that the "BIOS" is unchangeable at a hardware level, which is great. Does that mean I don't have to worry about malware if I'm sure my SD card doesn't have any?

For the purposes of this question, I'm only thinking about modification of the Raspberry Pi from a black-box point of view. IE, only counting attacks through the various ports. I imagine someone could solder in a key-logger into the circuit board and maybe even one that's super tiny and invisible to a casual inspection, but that would require my friend to be actively evil rather than really stupid.

Answer 1

There's no user accessible long term storage on ANY raspberry pi (except for a Compute Module with EMMC). Everything is normally on the SDCard.

There is the EEPROM on a RPi4 or 400 or CM4 but it isn't user accessible and the code that runs from the EEPROM isn't ARM or ARM64. So it can't be considered a risk.