How are either hidden? Both require access to your device, where are you going to leave it unattended? And if thunderbolt is a threat to you why would you ever leave it unattended? When would this attacker have an opportunity to attack? When your sleeping and they break into your house? why would your laptop be suspended and not fully shutdown if you need this level of protection?
(for USB, you have badusb for one.)
It just seems to disproportionate. You're limiting your options based on false assumptions and non existent attackers who are only going to attack you from one vector?
I completely understand the need for security, I even understand the need to protect against thunderbolt attacks (among many other things), but you have to first identify what your threat is before you can actually decide what you need to protect against (I've done this before, it was my job), otherwise you end up protecting against the wrong threat because you have an incomplete assessment.
Just based on your no thunderbolt requirement because of an attacker who is targeting you and can get physical access to your hardware without your knowledge would suggest an extremely high capability. Your requirements then would be far more extreme than your currently looking for, and in fact your probably looking at custom hardware to get what you actually need if the threat your describe is real.
If that threat doesnt exist and really your just worried about opportunists regardless of the risk (very low on its own), then it doesnt matter if the machine had thunderbolt of not as your would already mitigate any risk with either combination of: not leaving your laptop unattended, thunderbolt disabled via UEFI, thunderbolt restricted via VT-d/AMD-vi, kernel level dma restriction to disable DMA.
The fact that the attack in the first place is extremely unlikely to occur and that you have multiple levels of protection against it makes the likely hood of an attack occurring and succeeding so small to be virtually non-existent.
That's the point i'm trying to get across, you have so many other legitimate threats that are far more likely, focusing on this as a limiting option for new hardware is well.. a bit silly.
In saying that, if the threat really is there, and your just not saying, then there a bunch of other things you need to consider because an actual high level threat who'd go to lengths to undertake that type of attack on a specific target is basically one thing, the state. If its the state your trying to protect your self from, you have to look at a number of other things as well.