But it would need to be actively aware of what is where in memory to do this.
In a past life I did stuff like this where a device driver actually modified a running program to patch it to fix bugs/compatibility. It's not a complete fantasy to imagine that this might be possible.
But, hey, it's software. Anything possible; with computers it's best to look for what's likely, not what's possible.
When it comes to security, this is a horrible assumption.
It is the nature of the game that an attacker should be expected to use whatever piece that they control in the most malicious way possible. Thus if it is possible, and they are motivated, then you should never assume that they wouldn't do that. Because push comes to shove, why wouldn't they?
And if you're wrong, well, a little paranoia never hurt anyone. Particularly since in this case exercising paranoia is a simple matter of mixing in hardware randomness BEFORE doing all of the other complicating stuff, as opposed to the current order of doing all of the other complicating stuff AND THEN grabbing from potentially untrustworthy hardware that could be playing tricks.
That's sort of my point. "Push comes to shove" -> they'll do the easy thing first.
If their goal is to target Linux, and they know what Linux code looks like, why not take it one step farther?