When I recently watched this talk, https://www.youtube.com/watch?v=31D94QOo2gY, I wondered about that, that is if malicious STK app from network operator could execute AT commands on phone (and compromise device using commands from https://www.usenix.org/node/217625).

But from what I gathered from cursory search, RUN AT COMMAND isn't supported by most devices. (ETSI TS 102 223 states "This clause applies if class "b" is supported by the terminal and enabled by the subscriber through the terminal. ")