What can survive a secure erase and reinstall? Something did ... how is that possible?

I bow down to you! The NVRAM turned out to be the problem.

I did an nvram -xp to list the contents and there was quite bit there, although nothing I could specifically ID as a preferred network. Then I deleted the vendor's network from System Preferences > Network ... Preferred Networks and then cleared the NVRAM - there was a lot less in it afterwards. For completeness I also ran an EFI integrity check, which was clear, then I did a final 2-pass erase of the HDD and reinstalled Catalina via Internet Recovery. The vendor's network is gone and all looks clean.

Many, many thanks for your clue about the NVRAM!

I decided to try Internet Recovery as Phil0124 suggested. It's running now and I'll report back on how it turns out. I'm just setting up the iMac, so there's no data to worry about backing up.

Here's what I'm doing:

Boot into Internet Recovery

• In Disk Utility,
  • Remove the HFS+ partition I created earlier; resize the APFS container to the entire HDD
  • Do a 2-pass secure erase of the topmost level of the HDD with the options name=iMac HD, format=APFS, scheme=GUID
• Reinstall Catalina

Restart from the HDD

If the vendor's WIFI network no longer shows up in Preferred Networks, I'll consider it a successful wipe & reinstall.

Well, that's certainly interesting. So, do you think this is just a setting being held in NVRAM and not something injected into the macOS Base Image? And how or why would a WIFI network what was joined at some point get stored in NVRAM in the first place? Does this hint that any network ever joined remains stored in NVRAM? Do you think clearing NVRAM might make it disappear?

I would have thought that information about networks joined would be stored in a user or system file of some sort .... and that if one deleted a joined network from the Preferred Networks list that it would be deleted from such file; and if you erased the disk on which such a file existed it would be permanently gone.

(Sorry for all the questions, stuff like this makes me want to put on a tin foil hat. I just want to have confidence that the Macs I just bought aren't carrying some hidden malicious crap ... hence the secure erases and the worry about something that keeps appearing despite the erases.)

OK, so in Disk Utility itself (not the terminal command diskutil list) I can see an Apple disk image / macOS Base System. I assume that's the installer image that Phil0124 referred to.

Where does this reside? And why doesn't it show up in diskutil list? If this is writeable it would seem anyone creating such an install image could play around with the system outside many security controls.

It appears the command is hdiutil, not hdutil. Regardless, all hdiutil info shows is the version of the framework & driver (559.100.2) and I suspect that's for the Apple HDD, not the Apple disk image/macOS Base System (which is probably only mounted & available in Recovery mode - it doesn't even show as an unmounted drive in Disk Utility under Catalina).

When you said "trash all the volumes, partitions and disks" did you mean I should also trash the Apple disk image/macOS Base System? I can't tell where it resides, although I'm guessing it's either in the Mac firmware or some nonvolatile memory. If it's possible to trash it, will a reinstall of macOS/Catalina (via Internet Recovery) rebuild it from scratch?

It looks normal to me.

Sorry, I probably should have mentioned it earlier.