fj8989 “Big brands like Samsung, like Google took care of their supply chain security relatively well, but for threat actors, this is still a very lucrative market,” said [senior Trend Micro researcher Fyodor Yarochkin].
I am unaware of practical phones with 100% open-source firmware. If that's right then at present you must pick somebody to trust. I would rather trust Google/Samsung than Xiaomi, OnePlus, etc. And it seems as if Trend Micro, FWIW, agrees.