One of these devices is malicious.
It can steal your data and your screen picture, and send it to an attacker wirelessly, it can fingerprint and infect all of devices you connect to your ports. It can even impersonate you by clicking mouse and typing your keyboard right before your eyes. It can kill your laptop by sending 10 000 volts into the port.
Guess, which one is dangerous? Maybe none of them, maybe both. Maybe you already have one in your laptop. You don’t know? Me either.
The thing is, malicious device can look identical to a honest one right from the store. I realized that when I was writing my suggestion for a USB condom device. An attacker can buy an extension card, tweak it with custom hardware, and wait for a good moment.
What is even more concerning is that these expansion cards can be trivially swapped within seconds. Not by you. By someone else. Heck, we love our laptops exactly for this possibility! To swap cards fast.
Imagine going to a bathroom and leaving your laptop on a desk for a minute. Once you return it can already be infected by one of those evil cards and you would never know. This is a problem. And a security attack vector.
So my advice is: do not leave your laptop (or any hardware) unattended. Know your stuff. Ideally you should make all of your devices unique. Stickers everywhere may look dumb and childish, but they do make your stuff unique. Even a scratch can make a card unique and really hard to replicate.
On an OS level all devices should have readable serial numbers and be registered within a system. Still, it would not prevent from having a dumb expansion card not so dumb, but it will warn you if something else had changed. Dumb expansion cards like type-C and type-A should probably be deprecated by something with an ID. That way, if an attacker would remove a card, an OS would know that original one was removed. Also, breach detection button inside the slot is also a good idea.
Ideally we should have a way to lock the slots to make it hard (not impossible) to swap a card without prior authorization.
P.S.: If I’m not mistaken, card eject buttons when pressed feel like they are not just a mechanical thing. I feel a real button there. If it’s processed by the same circuitry than the breach detection lever and is OS independent then it would be absolutely awesome and my fair in humanity (and Framework) would be restored a bit.