It does make it much harder though and you can hide shenanigans in encrypted communications during seemingly benign situations where use of location data is expected.
Sure, the more access you have the easier it gets, but even if you have full source code access and full hardware access it doesn't guarantee anything. There was a very serious security bug in OpenSSL that went unnoticed for a year(Heartbleed). If the attacker is sophisticated enough, they can introduce complex bugs that are very hard to reason from the source code and maintain plausible deniability.
