That is a problem only if the box is externally discoverable
and is running some sort of a server or something which responds, and is a lot more likely if you run a web server on it.
I wondered if the hardware and ST drivers have particular issues... the only way I can think of is if the DMA controller is misconfigured and is capable of overwriting the buffer if an oversized packet is received. That would be truly dumb, even by ST driver standards, given that buffer overruns have been the #1 vulnerability in Windoze since "hacking" was invented
Getting back to the MAC address cost, a quick google shows that a block of 16M MAC addresses (OUI = Organizationally Unique Identifier, also referred to as 'company id') from IEEE Registration Authority, is $1,650.00. The current cost of an IAB is
$550.00 and that gets you 4096 addresses, and that is cheaper than buying any of the little devices mentioned AFAICT.
Is there anyone selling small blocks of MAC addresses?
I looked around the Microchip devices and the SST26VF032BEUI looks interesting since I also need 4MB FLASH storage, but it isn't available until late 2021.