Zero-touch OTA exploiting a cellular baseband processor in a phone is 100% possible if you control the network (which governments absolutely do). From there, it's just a matter of pivoting over to the application processor in order to enable the camera and mic. This path will almost certainly be less hardened than a userland to kernel privesc since the application-to-baseband interface will already be considered a trusted channel by the OS.