Successful exploitation requires a combination of specific conditions. An attacker must first gain physical access to a target eUICC and use publicly known keys," Kigen said. “This enables the attacker to install a malicious JavaCard applet.”

If an attacker has physical access, they can do whatever the fuck they want with the device. All bets are off.

If I had physical access to a server, I could just fucking drop in my own hard drive full of malware if I wanted to. It doesn’t matter how good the security software/firmware is on the server, when I can physically remove that software/firmware and substitute my own. That doesn’t mean every single server is “exposed to malicious attacks” as is colloquially known.