If you look at CVEs in Android a lot of them are tied to proprietary Qualcomm binaries. Its crazy how your GPU driver can be exploited to get root access.
If Qualcomm wasn’t so dependent on their vendor kernel that ships with tons of binary blobs it would be lot more secure.
*Free with purchase
You are correct. The software is an integral part of the device and cannot be unbundled.
Maybe I’m missing something, but there don’t appear to be FOSS alternatives to Qualcomm binaries. At least, not with a quick search. I might be able to get better information with a more narrow search.
Here is a decent conversation from 2021. I doubt that things have changed much.
https://news.ycombinator.com/item?id=26596721