They could very much force it on you, for new units at least - depending on what micro is on the boards, they could potentially very easy start shipping them with locked bootloaders (and disabled JTAG/SWD porrts) that would only run binaries that are signed by them.

They could potentially have their software load a unexpectedly re-flash existing units with a locked bootloader too, it would just be harder to keep the key secret (because the tool flashing the new bootloader on the first time would need to know it)