I thought this was well-known, Android is not private at all until you degoogle. Unlock your bootloader then install a ROM without Google Play Services such as GrapheneOS, CalyxOS or LineageOS.
You can consider installing microG also as an open-source minimal implementation of Google Play Services if some of it's functionality is absolutely necessary for you to keep.
The factual basis of your assertion is absolutely true, but your attitude is unhelpful and defeatist.
There is a chasm between "a state actor throws an 0day at you" and "Google remotely installs an app on your phone". The latter is done at scale. The former is expensive, risky, and used relatively rarely.
If you're organizing a protest movement, it's totally reasonable to factor government 0days into your threat model. For more boring people, running GrapheneOS is a great way to reduce the attack surface they expose to the advertising and mass surveillance industrial complex.
1) http://ramtin-amin.fr/#nvmepcie, http://ramtin-amin.fr/#nvmedma (the two articles are separate but the first provides incidental context for the second) the iPhone 6 kinda maybe sorta didn't dot the Is and cross the Ts with the MMU side of things. So, USB is awesome in that the failure state is "probably can't RCE".
2) I read a comment on here, which I should be able to re-find, but hn.algolia is not cooperating, suggesting that the system design of a particular AGPS implementation (a few years ago) interposed the GPS in between the CPU and the cellular radio such that the GPS SoC could do HTTP requests to grab its almanac that all of Android, down to the kernel, had no idea about.
IMHO this level of security paranoia is at the end of the day a micro-optimization. For any given device, you're looking at maybe two or three dozen Things Containing ALUs™ (often buried inside subcomponents buried inside other things); one or two concentrations of several billion transistors; and an unknown proportion of manglement, incompetence, cost-cutting,
internal compromise (because guarantee there's none), and Agreements™. Honestly: give up, and declare that whatever makes you feel better is enough.
Do any of the privacy oriented custom ROMs protect against that? I can't imagine their maintainers seeing code that just installs any app the ISP wants and be okay with it.
The problem is, its usually cheaper the more things you can shove into the 1 hardware item, so you have your cellular hardware in the same chip as your CPU and GPU. Not much a ROM can do about this unless the chip itself supports disabling direct memory across the two items, + does it correctly, + doesn't allow it to be reversed from the other side, + you would also need the datasheet to find out how to implement this.
Generally why privacy roms don't support more than 1 or 2 brands total, I guess.
There are also platforms with strict division between the seperate parts of hardware, la pinephone and the librem5
A core issue is that building Android ROMs is very difficult to do so in a simple and accessible manner. The build systems generally all require enterprise server level of memory and a build can easily take hours. Every device has a unique configuration, imagine if every brand of laptop ran their own variant of Ubuntu. For most "ROMs" that you find on obscure places like XDA, the builds by random people across the globe are a much greater security risk than good first-party updates.
You can consider installing microG also as an open-source minimal implementation of Google Play Services if some of it's functionality is absolutely necessary for you to keep.