That's basically what I assumed, but I wasn't aware that SIM cards had that kind of access to the device storage. I thought at minimum it was sending out my location constantly though.
I know next to nothing about telecoms technology, but in my head always assumed that SIMs were basically just read-only chips containing keys to authorise the phone to use the network. Clearly my assumption was wrong in some way.
SIM cards can contain applets that execute on the baseband.
The baseband often uses the same system memory as the application cpu (where android runs), and might even be in the same package or on the same silicon. In theory devices shipped with an MMU to prevent the baseband from fucking with the application processor. In reality, even Qualcomm ships broken MMU configs, and don't bother to ship a fix until the device is near EOL. I can't even imagine the horror show of Mediatek's MMU.
Of course it's also possible that this is Google playing nice with Chinese legislation...
