The situation hasn't improved significantly in the years since the same vulnerability appeared with Firewire.
There are so many ways to mitigate or stop this, and keep the user in control. Android, at least, knows to prevent privileged device connections with the screen locked.
Or when they had mini-PCI/mini-PCIe slots under a cover on the bottom for network cards etc.
As it says in the article, it can also be done with desktops where you can just pop off the case panel and plug a malicious device into the PCIe bus.
I think the biggest issue with Thunderbolt specifically is that it works over the USB-C port that is also used for charging - so you could make a device that looks like a charger but also attacks the device (maybe with a cellular modem in it to exfiltrate data or something!), making it way easier to trick users to plug it in themselves.
There are so many ways to mitigate or stop this, and keep the user in control. Android, at least, knows to prevent privileged device connections with the screen locked.