1) http://ramtin-amin.fr/#nvmepcie, http://ramtin-amin.fr/#nvmedma (the two articles are separate but the first provides incidental context for the second) the iPhone 6 kinda maybe sorta didn't dot the Is and cross the Ts with the MMU side of things. So, USB is awesome in that the failure state is "probably can't RCE".
2) I read a comment on here, which I should be able to re-find, but hn.algolia is not cooperating, suggesting that the system design of a particular AGPS implementation (a few years ago) interposed the GPS in between the CPU and the cellular radio such that the GPS SoC could do HTTP requests to grab its almanac that all of Android, down to the kernel, had no idea about.
IMHO this level of security paranoia is at the end of the day a micro-optimization. For any given device, you're looking at maybe two or three dozen Things Containing ALUs™ (often buried inside subcomponents buried inside other things); one or two concentrations of several billion transistors; and an unknown proportion of manglement, incompetence, cost-cutting,
internal compromise (because guarantee there's none), and Agreements™. Honestly: give up, and declare that whatever makes you feel better is enough.
Modems are often isolated by being connected via USB, or if on your SoC the modem has DMA then it's isolated via IOMMU groups.
SIM cards have to implement the E911 feature which allows 911 operators to toggle a cell phone into "stay online no matter what" mode.
Some SIM cards have additional apps installed on them, which allows attacks like SIMjacker and WIBattack.