It does seem insane. But the support engineer having local network access after remoting in without the customers willing consent also seems insane. Its obviously there so they can fix these devices, but shortcuts made for engineers are such a common security risk.
Ideally you would have a backdoor on the device thats open only to the local network. User runs an app on their PC, provides willing consent for someone to complete a support task by providing an OTC to the engineer. App goes and discovers the device, and hosts the session for the engineer. If the user cant perform such a task they can probably buy a device with one button on it that will, or pay for a callout or return.
Ideally you would have a backdoor on the device thats open only to the local network. User runs an app on their PC, provides willing consent for someone to complete a support task by providing an OTC to the engineer. App goes and discovers the device, and hosts the session for the engineer. If the user cant perform such a task they can probably buy a device with one button on it that will, or pay for a callout or return.