I wouldn't be surprised if both Google and Apple could do whatever they want with our phones remotely. It's just that they usually don't, so we never see it.
On iOS, at least, software updates require the user to enter their passcode, to prevent a San Bernardino-type backdoor. Though, I believe there are some assets that can be updated without a full system update.
I don't mean to be a tin foil hat, but I have to ask: How do you know? Do you work at Apple, with this exact thing?
From my perspective there shouldn't be a problem for Apple to have the regular updates work as you describe. And also for them to have an alternative method they can use without any user intervention at all. (Which probably very seldom is used.)
