So which is the bigger practical risk in 2023? A person physically taking your phone and compromising it? Or a software update making your phone unusable and possibly suffer catastrophic data loss?

Yes. Note that the person in question doesn't have to be a random mugger on the street. It could be a suspicious spouse, nosey coworker, or a voyeuristic phone technician.

What "suspicious spouse"? If someone has personal computer and can sift data off phone via something like usb connection, they are probably either state level adversary or professional black hat.

At this point you may as well give up, because those people have access to (years old) 0-day exploits, which work flawlessly regardless of "security measures" used by phone manufacturer.

>What "suspicious spouse"?

One who thinks the other is cheating and wants proof by sifting through texts or whatever.

> If someone has personal computer and can sift data off phone via something like usb connection, they are probably either state level adversary or professional black hat.

If bootloader is unlocked you can just replace the operating system with a backdoored version. Since theres no signature checking, there's nothing to check for this. No password cracking required. If you want to see what it looks like, look at x86 PC land where locked bootloaders aren't the norm: https://www.greyhathacker.net/?p=50

No exploit is needed if bootloader is unlocked. Just install malware from bootloader.

So have the fucking owner to put a password on it or have the device generate a random passphrase on first boot. Having locked boot loaders doesn't necessitate that you lock out the owner.

This makes sense for future improvement, but not possible for now.

If the bootloader is unlocked, it's only permanent until you reflash it.

Also, there are options between "user has no control" and "totally unsecured bootloader" (ex. user-provided keys)

>If the bootloader is unlocked, it's only permanent until you reflash it.

That's very vendor specific. Of the android phones I've owned none of them exhibited that behavior. You could flash and reflash without re-unlocking. It only gets locked if you issue an explicit lock command.

>Also, there are options between "user has no control" and "totally unsecured bootloader" (ex. user-provided keys)

There are good reasons to have unlockable boot loaders, but this case specifically (ie. data loss from when your phone bootloops) isn't one of them. For one, do you really expect the average user to generate their own keys, reconfigure their bootloaders, and resign their roms? Even if they could pull it off that effort would surely be better spent setting up an actual backup solution, which would protect against other hazards that an unlocked boot loader would not (eg. phone falling into the ocean).

> You could flash and reflash without re-unlocking. It only gets locked if you issue an explicit lock command.

Slight miscommunication; I was intending to address the specific security threat of "attacker has (temporary) physical access and flashes something malicious onto the phone's root filesystem (anything from a complete ROM to a kernel module or background process that autostarts and runs as root every boot)", in which case the user can just re-flash the phone's non-encrypted partitions from known-good images and be on their merry way.

> do you really expect the average user to generate their own keys, reconfigure their bootloaders, and resign their roms

Fair; it's unlikely for most users.

>in which case the user can just re-flash the phone's non-encrypted partitions from known-good images and be on their merry way.

And what if you're asleep/away/busy and don't notice your phone was hacked?