> well, a concerted attack could easily subvert the baseband

In theory Pixel phones have IOMMU and GrapheneOS is using them, so even a compromised baseband doesn't result unrestricted access to the system.

> Even if you run Qubes, if your router is controlled by your attacker, what kind of a security guarantee could you really get for yourself?

I do run Qubes, and a compromised router, e.g., will not get access to any passwords that I store in an offline VM as text, even with any previously known vulnerability since 2006.