Thanks Ipneblett. Indeed I am familiar with the tied device scenario you describe, but Amazon/NetXL do not describe this as being tied/sponsored etc by any third party service.
I chased up NetXL via Amazon and this was their response:
"NetXL shares its products with its sister company Yay, which specialises in VoIP and offers an auto-provisioning feature.
As a result, when Grandstream devices (purchased through NetXL or Yay.com), are powered up for the first time, or factory reset, they speak to Grandstream to ask who the owner of the device is. These settings for the firmware and config server path will have no impact on the device and will change no settings at all if they are not linked to an active Yay.com account.
Additionally these settings can be changed and will not revert unless the device is factory reset and it speaks to Grandstream again.
I can remove this device in particular from Grandstream’s provisioning server if you would like, however to keep the settings in there will have no effect on your enjoyment of the product. "
So there you have it, there is a commercial arrangement between the two companies which I assume is for their benefit, not mine. It pretty much confirms my initial suspicion that they have crossed the line from simply providing an introduction. They have actually introduced a backdoor for YAY, so I am entirely dependent on YAY not to interfere with or monitor my device. I remain beholden to their bona-fides, and to their server security.
It is as if I bought the device from YAY.
EDIT - solved - I DID (effectively) buy the device from Yay. I just did not know it, because I was deceived. NetXL and YayYay limited are joined at the hip, same director, same registered address etc. This really annoys me, as having been fully aware of the pitfalls of buying a VoIP device from a service provider, I made sure to buy from an independent reseller - or so I thought.