Yeah, just keep auto updates off. I've heard directly from a self-custody crypto mobile wallet provider that even though it's self custody, they could push an auto update to sign transactions... Can't mention them by name, but there's really nothing unique about them. Third party trust is third party trust.

In the meantime, if the result of a device hack is a compromised keystore, there goes your e2ee.