This is actually not the case. The owner is always made aware of whether the system has been opened up to "untrusted" software or not (they get a warning at boot if it has been), but an "untrusted" system can still be OTA-updated if the original OS image has been preserved as-is. This is often combined with some amount of custom modification by separately installing an "overlay"-based solution such as Magisk. But a full-custom ROM cannot be updated in this way, because the manufacturer's OTA update is monolithic and effectively replaces the original stock ROM!
AIUI, an OTA update (or USB update) is effectively carried out by software that was booted from the same flash memory to which the untrusted software was written.
I accept that the manufacturer's OTA update is intended to be monolothic, is desigend to be monolithic, but what assurance do I (the owner) have that the software that was flashed by a physical user actually flashes its replacement monolithically? That it leaves nothing behind?
EDIT: on further reflection, it seems possible to design a phone that provides such an assurance. That any monolothic OTA update actually has to be monolithic, even if untrusted software is in control of the main CPU. But I wouldn't want to bet that any/many/most phones built today actually offer that guarantee.
