I see it as quite feasible that an attacker could insert a fob or organise for a fob to be inserted without also having opportunity to reboot the computer.
That fob could then compromise the system when the computer was rebooted. The Lenovo bios setting being discussed would prevent that.
BTW Can you clarify if you think the feature from Lenovo is a good or a bad thing given your claim that it's very easy to disable?
The boot variables won't point at the device, and so the firmware will never bother to scan the device. The bios setting therefore provides no additional security in this scenario.
That fob could then compromise the system when the computer was rebooted. The Lenovo bios setting being discussed would prevent that.
BTW Can you clarify if you think the feature from Lenovo is a good or a bad thing given your claim that it's very easy to disable?