I understand that the Titan M2 is the hardware root of trust and it detects other components from being modified. But once the device is unlocked what would stop somebody from replacing the firmware of the Titan M2 itself with a poisoned version that let them do anything they want, assuming they have full physical control and access to the Device? Would it be resistant to this in any way?
I understand that the Titan M2 is the hardware root of trust and it detects other components from being modified.
No, that's incorrect. Firmware on the SoC is verified from the SoC root of trust.
But once the device is unlocked what would stop somebody from replacing the firmware of the Titan M2 itself with a poisoned version that let them do anything they want, assuming they have full physical control and access to the Device? Would it be resistant to this in any way?
Unlocking does not enable loading arbitrary firmware. Unlocking enables flashing firmware images which are verified from the hardware root of trust. User configured root of trust is supported for the OS and stored in the Titan M2. The verification is done by the last stage of the SoC boot chain before the OS, not the Titan M2. In this area, only responsible for storing lock state, verified boot state (rollback indexes, user configured root of trust) and performing attestation.
Titan M2 firmware is signed and verified. It has downgrade protection just like the SoC firmware. The anti-rollback version is generally increased for every Titan M2 firmware update rather than only certain security critical ones. It also has insider attack resistance to only accept updates after the Owner user has authenticated, but that's not relevant to the question.
