In most SoC's the answer is 'everything' because there's no such thing as an IOMMU.

I was under the impression that most modern (past few years) SoCs like Exynos, Qualcomm, Apple silicon all had IOMMU support. Sometimes it’s misconfigured to be too permissive but that’s getting better.

Qualcomm SMMU: https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets...

Apple: https://support.apple.com/lt-lt/guide/security/seca4960c2b5/...

Samsung (vuln indicating it wasn’t configured correctly, but they still do have and use an IOMMU): https://nvd.nist.gov/vuln/detail/CVE-2022-39854

Why's IOMMU thrown around so casually in this forum as if it's a silver-bullet explosive reactive armors? They'd be running something like 30 years old giant main loop with "// don't remove this line, build breaks" comments everywhere, not like Rust microservices on formally verified microkernel.

The main CPU/application processor/main CPU might be running better secured Unix/Linux and might be able to protect itself from peripheral CPUs, but that's not the point; a phone had always been a pair (minimum) of computers, traditionally referred to as Application Processor(AP) and Baseband Processor(BP), of only the slightly faster one is exposed to the user, and it's unclear what is going on inside the other one or how to handle it. That's the problem.

How big a concern is this if the data is encrypted by the kernel or user space?

Encryption does not help in this case. They have complete remote control over the entire CPU so they can just run the decryption code directly.

Encryption only helps if the endpoints that can get access to the plaintext are not compromised.

There are atleast 2 more exception levels with higher privileges than the Kernel on arm64.

Ding ding ding, we have a winner!

Ok but we are talking remotely enabling camera and microphone. The baseband is only responsible of intercepting traffic. This needs kernel injection.