At first glance, it looks like this is an accident rather than any kind of malicious behavior. The app is normally hidden until you tell Android to show system apps, so you might not notice it unless you went looking for it.
Company chief Carl Pei says his team is "looking into" the software's presence. If it's as widespread as it appears to be, there's a good chance you'll see a software update removing EngineerMode. However, the discovery isn't exactly confidence-inspiring. Between this and previously aggressive data collection, it looks like OnePlus hasn't been paying particularly close attention to security or privacy on its devices. It'll need to run a tighter ship if it wants to persuade users that its software is trustworthy.
Update: OnePlus has issued a statement that recaps the nature of EngineerMode and its threat (again, you need physical access to cause havoc). It's promising to remove the root function from EngineerMode through a future over-the-air update.
Update 2: Qualcomm has looked into EngineerMode and says this isn't its app. There are traces of Qualcomm code, but someone else wrote the bulk of it. We've asked OnePlus if it can comment on this and will let you know what it says, but you can read the full statement below in the meantime.
"After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided."