Yes, and we may all be disembodied brains living in vats inside a teapot. This is why I don't find such arguments very compelling for showing we should necessarily assume we are being surveilled. The same argument can be applied to situations that have nothing to do with the internet too.
Those are certainly possible ways in which the surveillance could still be happening, because nothing is certain. But the argument is necessarily probabilistic (in the Bayesian sense) and not binary. So yes, I have to take this into account to determine my final risk, but there is no point in necessarily assuming I am being surveilled because then I might never do anything at all.
Because your hardware may be compromised.
Because their software may be compromised.
Because their hardware may be compromised.
Because the cryptographic algorithm you're using may be compromised.
Because your 'trusted party' may be compromised.
Because there may be a camera in your room.
Because there may be a camera in their room.
Lots of threat vectors, lots of reasons to assume surveillance.