The baseband on the supported devices is isolated via IOMMU. This means that an exploit of the baseband does not compromise the OS without exploiting it too. Our protections for the OS protect it from an attacker that has compromised the baseband. We also offer attack surface reduction features for the baseband including LTE only mode and always offering all the standard configuration options for VoLTE, VoWiFi, etc. when applicable rather than configuration options being unavailable with many carriers. We plan to add further attack surface reduction toggles over time.
We also currently only officially support devices receiving both the Android Security Bulletin patches each month along with the recommended cross-device Android patches and Pixel-specific patches (Pixel Update Bulletin lists both of these, but most apply to other devices too). These include baseband firmware security patches.
The baseband firmware and other firmware has verified boot with rollback protection just like the OS.