If you do not update the phone, chances are high that there is some Linux vulnerability you could expoloit. The privileged vendor software also can have vulnerabilities. For example, here [1] researches hacked the phone with Verified Boot using a boot logo parsing error.

My impression that you should treat your phone as something that can be hacked any moment and not store anything important there.

[1] https://www.sstic.org/media/SSTIC2024/SSTIC-actes/when_vendo...