Preferably from a certified refurbisher.
Unless I misunderstand dramatically, Verified Boot is not a deterent against against physical attacks (ex: compromises by the refurbisher) nor is it enough to prevent vulnerabilities in (even Verified / unmodified) privileged blobs like bootloader / init / recovery / fastboot images, for example (one less thing to worry about if using Pixel + GrapheneOS? Unsure).