sleep_legacy i would lean more towards libreboot with cubesOS. But I think even then you don't have verified boot, do you?
The thing about intel ME or PSP is that by putting a network monitoring system in front of that PC you could technically "catch" unsolicited traffic in/out of that PC, theoretically. But that's easier said than done. One could also argue that if there was a serious privacy/security backdoor issue with intel ME, then perhaps at least one person would have "cought" it in the act in the past 15 years. Is there any account of this?
I was so worried about intel ME in the past, but now i don't. I think its only a thread if a sophisticated attacker (gov) wants to directly target you, and that's not everybody. Although if you wanna be more safe, the way to deal with it is to put your system behind an external firewall with white-listed IPs/URLs. I'd think that should do it. No?
Or just have a more secure system for your critical stuff.