Taking a closer look at these functions, using the objdump decompiler, reveals that they are actually called from the ipc_recv_rfs function, itself called from process_ipc_notify_message, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.
This could just as well be a result of the modem's normal runtime (e.g. logging). No one has proven this interface is deliberately accessible over the air.
I think your onus of proof is backwards. We shouldn't need to prove that this interface is accessible over the air. They need to prove to us that it's not. It's not easy to prove it's accessible over the air. But it's easy for them to prove that it's not. They hold all the cards, after all.
