> hardware. If you can verify that the switch disables the radio, you don't have to worry about software do you?
Until the next time you turn radio on, when it could just send out anything, anywhere if the software stack is untrusted, so we are back at square one.
I'm aware. You apparently did not notice my point #2 above:
> 2. some kind of filtering + buffer + delayed send
Resources (compute, storage) are needed for filtering, buffering, sending. However, these actions are not "free": (1) they increase the chance of detection later; (2) they require electrical power; (3) they require additional design and testing for the device using them. Isn't raising the cost of breaching security the basic idea?
So my point stands: A hardware kill switch serves as a security layer. I'm not saying it's perfect, but it is not (in general) simply security theater (your point above).
Until the next time you turn radio on, when it could just send out anything, anywhere if the software stack is untrusted, so we are back at square one.