Even if the employees capable of directly signing the files make up a very small group, they would probably be authorizing over the phone or a similar indirect route. This opens the door to social engineering by anyone, employee or not, who knows what number to dial and what information to provide. The tech would be authorizing the file without seeing the customer's device and proof of purchase themselves.
To foolproof the system, you would need less than a dozen people trusted with the ability to sign the files, and require the device and proof of purchase to be shipped to them rather than allowing unlocks to be authorized remotely.
It's unfortunate that the last line of defense against a stolen machine, the firmware password, has a backdoor. I'd have expected a firmware password on a MacBook to be just as difficult to bypass as an iPhone's passcode. Apple refuses to unlock phones, but will gladly remove a firmware password on a real machine. Disappointing.
The OS X equivalent of an iOS passcode is FileVault. Its current incarnation (v2) uses full disk encryption and doesn't have a (known) backdoor. (v1 used per-user encryption but didn't protect the rest of the disk, and v3 might use AFS to encrypt the whole disk in a way that users can only decrypt their own data and shared areas of the filesystem, not other users' data.)
Firmware passwords are more like Activation Lock for iOS. They make it harder to reuse a stolen computer and stop some less-invasive tampering, but don't offer any guarantees about protecting your data.
To foolproof the system, you would need less than a dozen people trusted with the ability to sign the files, and require the device and proof of purchase to be shipped to them rather than allowing unlocks to be authorized remotely.
It's unfortunate that the last line of defense against a stolen machine, the firmware password, has a backdoor. I'd have expected a firmware password on a MacBook to be just as difficult to bypass as an iPhone's passcode. Apple refuses to unlock phones, but will gladly remove a firmware password on a real machine. Disappointing.