Neither of these things are true. You don't have to update firmware, firstly.
Secondly, the fact the drone and the controller "use wifi" doesn't mean that they're connecting to arbitrary wifi access points. The drone controller (at least for the two drones i had) is a WAP, itself, a real strong one, and the drone connects to the controller. You don't need a phone to fly a DJI - the phone connected to the controller via USB cable provides telemetry and real time video. If you just want to fly the drone around and maybe capture some cool video, that doesn't require a connected phone.
Source: owned a dji mini and own a DJI mini 2, very close friends with people who own the mini 3 and other, more expensive ones (with the video screen built in to the controller). I fly mine and use an old oled android phone as the video/telemetry screen - no sim card or cellular connectivity. I can take the whole setup to the middle of a forest with no connectivity at all and it will connect, fly, and record telemetry and video on the phone and on the SD card in the drone.
Maybe my perspective is biased - I live on a river and fly my DJI Mini 4 Pro 1-2x a week sitting in my back yard, connected to wifi.
The threat vector for my usage pattern is basically, a rogue firmware update could transmit the video feed, telemetry, etc via controller wifi connection to DJI/China in real time.
For people flying in remote locations with no connectivity, the threat vector is a bit more complicated.
Source: owned a dji mini and own a DJI mini 2, very close friends with people who own the mini 3 and other, more expensive ones (with the video screen built in to the controller). I fly mine and use an old oled android phone as the video/telemetry screen - no sim card or cellular connectivity. I can take the whole setup to the middle of a forest with no connectivity at all and it will connect, fly, and record telemetry and video on the phone and on the SD card in the drone.