I think this is broadly not true.
Sure, the NSA can probably pull this off. Thing is, the NSA probably does not need to do this at immigration.
I seriously doubt that this is a realistic problem if your threat model is anything less than "The NSA is very interested in me". In that case I don't see how you could trust any phone, regardless of it having been in the hands of border officials or not.
Good luck getting anyone close to this to go on the record about it though given such things normally come with corporate or government gag orders.
There are hundreds of privileged vendor binary blobs on most flagship devices not even Google gets source code to though so supply chain attacks should be assumed.