JackMurphy I'll definitely look into the Framework one you mentioned. off top of my head, that didn't have BootGuard when I looked at it.
Framework has a proper BootGuard setup and this is one of the reasons why the laptop can meet high HSI security levels like level 3 and level 4. You seem unfamiliar with the HSI specification so I will link it for you here. If you read you will find the lowest level is HSI:0 and the highest currently is HSI:4. All the laptops that have been recommended to you reach HSI:3 or will reach it in the near future (like NovaCustom's NV41). The only requirement for HSI:4 is TME and so having a vPro CPU is a must to reach HSI:4.
As of any other requirements that you may have not listed or forgetting about, I'd say consistent firmware updates. NovaCustom provides firmware updates for 5 years from your purchase, Dell provides up to 6 years I believe and Thinkpad consistently provides updates too but I do not know for how long. Probably a bit less than Dell. Framework is the only one that has had issues regarding shipping consistent firmware updates for its devices. Although they are improving slowly, it is not a good look for them from a security perspective and so, I would probably avoid Framework for now.