Typically, things like baseband firmware and hardware and wifi firmware and hardware and so on are considered totally untrusted, and part of the hostile internet. Therefore, that hardware is totally isolated from the rest of the computer or mobile device by the hardware bus they are connected to and IOMMU. Firmware is almost always proprietary, and rarely ever updated after all.
But seeing as GrapheneOS is actually receiving security updates for the baseband firmware, which is more than can be said about the vast majority of computer and mobile systems, this had led me to wonder what security we can really expect from the baseband.
Critical vulnerabilities that gives remote code execution in the baseband firmware has been found and patched, at least one a year. But what if the baseband was compromised prior to getting the updated firmware? Do the baseband have internal or shared storage where the malicious code can persist itself to compromise the firmware anew at each phone reboot? Is the firmware that is loaded verified through the verified boot process in any means? If the baseband has some storage, is there some way to wipe that storage, like factory reset it in a secure way that would cause any maliciously changed settings or installed code be wiped? Or is this just a matter of "we don't know and should just keep treating the baseband as part of the untrusted internet"?