bookreader what do you mean by firmware? If you mean GrapheneOS, as opposed to stock OS then problem is likely not there. If you mean firmware that's on the SoC, then that is a thing to worry about and I can not call myself an expert on that issue.
Most of the devices will run stock OS and what more convenient way than doing it over Play Services? Bluetooth toggle ensures that once you turn it off it should stay off unless there is automated software present that turns in on on condition (presuming device is on), I am sure we can agree on that. If it is off and backdoor is planted in the hardware, there is no easy way to verify when SoC activates the bluetooth.
But then, if they could do that with bluetooth, they could do it with any sensor like GPS which could pinpoint your precise location or modem which then could conveniently send it over.