If you were a 3-letter agency, wouldn't you have a ton of trivial data and metadata generated by your targets and intercepted in transit to use for that purpose?

Also wouldn't you coordinate a full image of the target's device to break into at your leisure instead of doing it directly on the device on the brief moment it is taken away from the target for inspection at the airport or such?

Though honestly, yeah, there seems to be a bunch of lower-hanging fruit to harvest like android OS security flaws that take at minimum 1 month to plug or even never, etc