@emilis >blob, uploaded by kernel: woa, evil!
Yes, evil, as that blob is under a proprietary software license that you must accept.

It's all well and good to claim that such proprietary malware can be replaced, but that happens extremely rarely.

It's also now common to implement digital handcuffs in such hardware, making it cryptographically impossible to replace the malware.

>stored on flash alongside the hardware that's harder to inspect or disable: this is fine actually
Assuming you meant EEPROM, sure it's not ideal, but you don't need to accept any proprietary software license to use that hardware.

It really isn't hard to overwrite an EEPROM with all 0's with flashrom either.

Also, dumping and flashing an EEPROM is trivial compared to writing a free software replacement - if you can do the latter, you can do the former.

It seems to be less common for digital handcuffs to be implemented for software in EEPROM for peripheral devices as well.