Are basebands not sandboxed at all? There's no conceivable reason that my baseband should be able to access my camera, microphone, or the contents of my display in normal production use, as that's all filtered through the CPU typically. Why not have an MMU that limits the baseband to DMA in a specific chunk of memory and reduce the attack surface dramatically? It's not just effective against nation states. With such a protection, 0-click OTA attacks targeting the baseband would have a much smaller blast radius.
Historically the baseband was the primary processor with full control and the CPU was subordinate. This is because the baseband code was developed by the chip manufacturer so they gave themselves full control over the system to make it easier for themselves.
This may no longer be the case right now as the primacy of the CPU has become increasingly obvious, but it should still be the default assumption since having the baseband in control lowers costs to the chip manufacturer which is their lifeblood.
