Hard drives and SSDs have more storage capacity than is actually presented to the OS, mostly for remapping bad sectors, possibly for storing internal metadata for the disk's operation. A malicious firmware could use that unmapped storage capacity to store larger, more versatile payloads.