They honestly won't have to if they have a backdoor in the baseband modem, which even in the most OSS friendly phones is still controlled by a large binary blob from the manufacturer. Who's to say state agencies (NSA/GHCQ/etc) haven't found bugs in it just like they have in hard drive firmwares to persist APTs indefinitely?