If the car manufacturer got control of an app on the phone it is trivial to exfiltrate data via Bluetooth.

It's not evidence against it either. Presumably CarPlay and Android Auto could implement a network interface through the application layer, or even activate Bluetooth tethering at the system level as they are privileged apps.

But they could also do this over USB, so something doesn't add up.

RNDIS was a mechanism for tethering over USB, and you could certainly pair "Bluetooth Network Adapters" for years and there's a profile for it. So there's at least precedent for it. That makes it pretty plausible to me.