I can't recall so many (80?) security fixes in a recent iOS update. A malicious font, audio file, image file or website can cause arbitrary execution?! When a file parser or Safari is vulnerable, why doesn't the iOS sandbox block device/root modifications?

What happens if your device is already infected? Does the update process replace all OS files or could an infected device still contain malware after upgrade to 10.3?

Are there tools or apps that can report system level logs, e.g. could iOS 10.3 detect and report if known-malicious files are present on a device?

"may lead to arbitrary code execution" often means they didn't take the time to detect whether it does.

Reason is that it isn't worthwhile to spend time on that. Firstly, it is typically impossible to prove that a vulnerability cannot lead to arbitrary code execution (to do so, you would likely have to know _all_ vulnerabilities in your code), and secondly, defense in depth still requires plugging all holes, even if you can _now_ prove they just lead to an impregnable barrier.

And already infected devices very, very likely are safe after a reboot (the OS will only run signed code, and the malware isn't signed, or even considered code), but still may carry files that could infect systems running older iOS versions.

The sandbox does block such modification, but a useful exploit would combine the arbitrary code execution vulnerability with a sandbox escape, using e.g. some arbitrary read/write vulnerability in the kernel or similar.

In that case, would the list of iOS 10.3 security fixes mention at least one sandbox escape or kernel vulnerability? Since it does not, can we assume that most (all?) of the listed "arbitrary code executions" would be isolated by the iOS application sandbox?

Or should we assume that competent attackers are hoarding sandbox escapes and thus most app vulnerabilities can be escalated to device compromise?

No, you can't make any such assumptions from the text of the update. But you can probably assume there's localhost sandbox escape (or kernel RCE) available to serious attackers.

The list does include several kernel vulnerabilities anyway so the question is moot.

Perhaps a scanner could be run on an iPhone backup directory (on disk on your Mac/PC).

You're following security updates for flaws in an entire operating system and an entire browser. This is pretty much par for the course. Chromium has one of the best security teams and one of the best SDLC processes in the whole industry, and you'll see similar update stats for them if you watch closely.

This is the opposite of terrifying for me.

My presumption with any technology is that there are security risks and issues. What is more concerning to me is the absence of information about these risks and issues.

Apple had a nice time for years while Microsoft acted as a honeypot for crackers. The absence of published problems for Apple products was merely an indication that crackers and researchers were not attempting to poke holes into the Apple ecosystem.

Sometimes Safari on iOS will freeze and I wonder what's happening.

This is pretty silly. If your Linux machine gets owned up through an RCE flaw, you aren't going to be able to rely on the "transparency" of Linux to detect the attacker. Just like with Linux, iOS KRCE is game-over for casual detection.