No i didn't forget about the baseband, hence the NSA grade malware.
That said I haven't seen a single phone that when in airplane mode or off showed any signs of transmitting anything.
I've also done testing with RF fuzzing phones and nothing happened.
Other people did more analysis including power consumption monitoring etc. and there is no "on by default" home phone feature on basebands.
Can a base band be backdoored? sure, can the police do that most likely not, if anything the "quality" of commercial cellphone malware is fairly low most of it requires physical access to the phone or social engineering to install.
US Law enforcement relies mostly on cell provider and IMSI catcher based tracking, some departments might have access to commercial RAT products ala FinFisher but I have seen no evidence that anyone has access to baseband based exploits.
If anything it seems that even state actors do not have turn key solutions for remotely accessing the basebands of commercial mobile phones and often have to resort to compromising the supply chain to launch targeted attacks.
So yes the baseband is a CPU, it's probably considerably less secure than you would want, but saying that every baseband or even the top 10 most popular ones are or can be compromised at will doesn't pass the current smell test.
