On other phones the baseband has full control of the AP because it can read and write to all of its physical RAM. With an IOMMU a compromised baseband can only control things inside its small view, rather than completely compromise everything running on your phone.
But doesn't the IOMMU itself become additional attack surface for compromising the kernel? At least, I've seen it suggested that the tradeoff to gain a bit of defense-in-depth isn't necessarily worth it.
Not having an IOMMU=baseband can access all of the AP's memory.
Having an IOMMU=baseband can only access a small section of memory marked for it, ideally.
Obviously, it's worth implementing this: it turns a baseband compromise from "instant game over" to "might be a problem, but the IOMMU needs to have been set up incorrectly or the code that deals with it needs to have a serious vulnerability".
