Some manufacturers (not of any consumer gear that I know of) require a password change during the initial configuration.

You should take it as a given that if a threat actor gains physical access to your workstation, server, router, switch, or whatever, it's owned.