Once you’re inside a car that’s on, there really isn’t any security*. The OBD2 port that every remotely modern car has is perfectly capable of accessing all the diagnostics and data streams the car has, and can also control/reconfigure the various computers.

IMO that doesn’t really matter, since the system isn’t powered until the key is in the ignition and the car turned on. You can’t do anything with the key off, and if your passenger wanted to sabotage the car, they’d just yank the wheel as you drive down the highway.

That said, yes OTA updates are a travesty. Specifically because cars have so little security, having any access to their computers from the outside is a massive risk… And if there’s a potential that the country the manufacturer is in turns hostile, that risk certainly isn’t reduced.

* A handful of manufacturers have “added” security to their systems by… (drumroll pls) restricting access to the systems and requiring a subscription for full access. That’s fucking evil and doesn’t even do anything (at least for a mechanic or tinkerer like me) since you can just google “FCA bypass cable” and skip right past the firewall.