What hardware need we trust in the new design? Any switches between the root complex and the endpoint plus those endpoints where you keep your mission critical data are now in your TCB. Other branches of the PCIe fabric including that dongle plugged in to your UCB port are no longer a threat. Assuming that some portion of the PCIe infrastructure is correctly implemented in your system you can reason about the reliance set of some of your applications.
Modern commercial operating systems have recently protected the system memory from the dongles, but they do not prevent a clever from copying your sensitive data stored on an SSD to some file which is queued to be soon transmitted as email. Or merely wiping out your kernel stored on the disk, even if it is encrypted.