Barring doing the safest thing (not allowing remote flashing of code) they should at minimum have monitoring that alerts when code is added or changed.
I’m not even saying flashing shouldn’t be “allowed”. I’m saying it should be impossible. Whatever code the devices run should be in hardware, requiring physical contact to reload. If it’s a permission thing, there might be some way for them to end run it.