For the full write-up see https://www.linkedin.com/pulse/canonical-maas-security-keith-bierman.
But to summarize, depending on “in-band” erase and firmware updates cannot actually provide any value against a hostile user. Unless MAAS is restricted to providing systems only to known trustworthy consumers … methods outside of MAAS are necessary to safely RELEASE systems.