[Arnt]

AIUI, an OTA update (or USB update) is effectively carried out by software that was booted from the same flash memory to which the untrusted software was written.

I accept that the manufacturer's OTA update is intended to be monolothic, is desigend to be monolithic, but what assurance do I (the owner) have that the software that was flashed by a physical user actually flashes its replacement monolithically? That it leaves nothing behind?

EDIT: on further reflection, it seems possible to design a phone that provides such an assurance. That any monolothic OTA update actually has to be monolithic, even if untrusted software is in control of the main CPU. But I wouldn't want to bet that any/many/most phones built today actually offer that guarantee.