Thunderbolt connections may provide DMA access to the host and pose a security risk. There are two mechanisms to mitigate against Thunderbolt DMA attacks in Linux, and you would probably want to verify at least one of them is active.
IOMMU DMA Protection
This uses IOMMU to explicitly allow what memory Thunderbolt devices can access via DMA. This is the prefered way to protect against Thunderbolt-based DMA attacks. It is available on recent hardware (~2018 and forward) and requires Kernel >= 5.0. You can verify IOMMU DMA Protection is enabled using:
cat /sys/bus/thunderbolt/devices/domain0/iommu_dma_protection 1
1 means it is enabled. This setting is controlled through UEFI. At least in Lenovo systems it is named cat "Kernel DMA Protection" (like the Microsoft name for this feature). You can find it under the Security tab.
This is the old style of protection, that preceded IOMMU protection. If configured properly, it allows the user to explicitly authorize Thunderbolt devices before granting them DMA access.
$ cat /sys/bus/thunderbolt/devices/domain0/security none
none means no protection at all (that will also be the case if you have IOMMU DMA protection enabled).
user requires the user to authorize a Thunderbolt device each time it’s connected.
secure is like
user but devices authorized in the past do not require re-authorization.
dponly only allow DisplayPort pass-through.