In no particular order…
So far, you have posted no evidence. Suspicions, yes. Evidence, no.
The macOS default login system is based on LDAP. And macOS inherently integrates with LDAP servers. Which means traces of and references to LDAP will be widespread within macOS.
Apple has security mechanisms which do block various activities by add-in anti-malware as well as by malware, and not the least of which include the signed system volume, gatekeeper, notarization, and related.
And a Mac won’t erase completely, as features such as Diagnostics Recovery would not otherwise work. If you suspect a persistent compromise, that’s an exceedingly expensive exploit, and there’s no reliable remediation path short of wholesale hardware replacement from random sources.
Based on your postings though, you seem to have cross-platform concerns, though have posted nothing past having suspicions. No recordings of the reported snickering, for instance.
You have quite possibly also found the expected and normal indications of latent support for remote management features, and possibly also for some of uses of remote management related features such as for mundane activities such as for carrier Wi-Fi off-load.
Certificates are routinely found in keychain and within the trust store too, and certificates are a fundamental part of distributed authentication, and of app and network security. Apps can and do generate their own certificates, as do other activities. And the trust store contains the certificates Apple has trusted.
What are your own personal risks here? Are you an investigative journalist, political dissident, associated with a military or defense organization involved in active conflicts, senior in business or government, of interest to or an annoyance to some exceedingly rich folks or governmental agencies, exceedingly rich yourself or with access to riches, have access to sensitive or classified data, otherwise a potential target for malware?
There are forensics-related websites and training available, or you can pay somebody to examine your gear forensically. That won’t be free, as the folks that want free forensics far exceed those willing to offer that. Forensics usually also involves direct device access, which inherently includes access to sensitive data.
This reply likely won’t be satisfactory though, so I’d ask you what evidence you would accept of not being hacked. I ask that because proving a negative — that you are not hacked — is exceedingly difficult. If there can be no -acceptable evidence of not being hacked, then the discussion gets more difficult. Why do I mention that? There are those that will seek to profit from that fear of being hacked, as well. And this wouldn’t be the first case of gaslighting by a trusted associate.
TL;DR: this sort of request likely isn’t going to get resolved around here or from any other forums; not whatever security or gaslighting or maybe whatever other entirely-non-IT issue might be arising. Not without supporting forensics, some likelihood of being targeted by the sorts of malware involved in what is being reported. Or the cause can potentially be completely unrelated to IT.
