"There are three main categories of entry into a device via zero-days: WhatsApp/Signal, SMS/MMS, and Firefox/Chrome/Safari. If these can be isolated, entering a device could become harder."

I guess the nasty passive attacks are all, if you are even exposed to this url, even if you don't click on it, something bad can happen.

"graphite spyware" "Unlike older malware that requires a user to click a malicious link, Graphite can covertly infect a phone without any user interaction" LMMV, google AI summarizer

https://en.wikipedia.org/wiki/Capability-based_security is ultimately the approach to fix this kind of fractally pernicious security problem.