I'm not sure if "Evil/BadUSB"-style vulnerabilities really apply to HSIC, where the code would know what kind of device to expect. It's possible there are ways to make this work - I'm not aware of any past vulnerabilities of this nature, but I'm not familiar enough with this topic to really make an educated guess. Either way, it doesn't seem like a matter of "just find a zero-day in the baseband and you get DMA", it's more along the lines of a vulnerability in, say, Safari, which then needs all kinds of sandbox escapes and privilege escalations to be useful for an attacker, and it still does nothing to get past Secure Enclave (and possibly Android's variant of that).