Too bad they don't have no service password-recovery like another vendor...
When you break the boot it just says PASSWORD RECOVERY FUNCTIONALITY IS DISABLED
Do you want to reset the switch to factory default configuration and proceed [y/n] ?
...
That said, there is not too much intelligence that can be obtained recovering a configuration file from an ancillary site. I mean they might know any backup usernames (provided you use RADIUS) those aren't even checked. I am sure you are running SNMPv3 and not clear-text strings...
They might know the VLAN numbers and names for what those represent, which ports carry trunks to other switches, any local subnets and default gateways.
Most likely they have a next hop, IPs of DHCP servers, and the IPs on any access lists, which they would reasonably assume are of important items like RADIUS, monitoring tools, management devices, etc.
I guess if you are running a routing protocol they can dump that table to enumerate available network subnets, too.
Overall though, I doubt this gives anybody access to anything they couldn't get running an ipconfig on their computer, opening AD Users and Computers, using nslookup, or even opening the DNS snapin, which most non-administrator users can ironically do on most AD networks though they won't have the right to change anything. They could probably gather more intel running a traceroute unless you set up ICMP so that all their traceroutes return stars * * *...
I am just saying, I am not sure you gain all that much security preventing the threat of someone recovering a config. I would certainly set a console password, use SSH only, and restrict remote access to the devices... You are only in real danger if you have unencrypted passwords or SNMP strings (particularly private strings) particularly if they are the same network-wide.