I agree but this is next level stuff. Sure, government can throw a billion dollars at it, but we're getting savvy at dissecting hardware.
Given a particular chipset, there are prior examples through chipset datasheets, reviews, and FCC pics of hardware, to recognize what chips belong on a (router in this case) chipset and which don't.
So you have the core processor and an EEPROM, and any other *extra* chips where the functionality can't be identified would be suspect, so there are a couple options.
1) Make the EEPROM a larger capacity than is marked, scrub the markings off and reprint it or make it from scratch with a mislabeled capacity designation, so after the expected firmware size is met, there is still room for a loader for the real OS. This might still require #2 if people are flashing 3rd party firmware.
2) Much more work, fab an entirely counterfeit processor with embedded nvram, a very costly thing to do and to pass it off, would have to have the same IC footprint to not be detected, yet shoehorn in the extra nvram on the die. I don't see this happening for consumer grade devices sold at tier 3 pricing (behind corp and tier 1 premium consumer brands), but then I can't pretend to know what a government military budget deems most cost worthy - it just seems like this isn't it, when the vast majority of consumers won't be good targets. High value targets, I suspect will tend to use more esteemed and higher end hardware, not TPLink.