If the attacker's goal was to erase the user's data, and the firmware _didn't_ erase data on invalidation, then the attacker could simply write a firmware that erases the user's data.
I think in this case the idea is that the attacker isn't physically in possession of the device, but rather has tricked the user into running a malicious firmware updater for the device.
Ah, yeah,that makes sense. Hadn't considered that angle. Would track with the user behavior exposed here, namely getting their stuff from an unofficial source (be it the device itself or the firmware).
