There is usually little or no security boundary between the AP and complex peripherals (like the baseband, cameras, GPU, audio subsystem, etc.) Usually these will have direct access to main memory (like having a DMA channel given to them), and will have firmware loaded into them by the AP at boot. After which, they can damage the integrity and privacy of your 100%-OSS AP software.
The baseband, particularly, is of concern because it's connected to the outside world, and is powerful and complex. And almost always closed, and provided by an American company (Qualcomm).
The firmware that runs the baseband processor manages communication via the radio (and sometimes wifi and bluetooth as well)[0]. Once loaded, that firmware will have plenty of opportunities to phone home or otherwise provide information about your location, activities, etc.
e.g. The camera firmware blob could be tagging all your pictures with some kind of hidden watermark. Who knows ?
EDIT: Just to clarify, firmware blobs are not executed "on their own", they are normally executed on a micro-controller that is embedded in the baseband / power management / gpu / any other chip.
That my have been what you meant, but it wasn't what you wrote in the blog post. And besides, it's irrelevant if it runs "on its own" or not; in fact, technically, only the bootloader runs on its own, everything else has to be loaded by some piece of software, including the OS itself.
FYI the cameras in most phones (at least the ones I've played around with) contain no firmware. It's just a relatively dumb image sensor connected via a MIPI interface to the main SoC, and is under control of it. It cannot access memory on its own.
Don't know of any particular blogs/articles but you can e.g. Google "OV5647 datasheet" and read the datasheet for the RPi's camera chip. There's not much that could be a security concern on the camera module itself, since it's relatively dumb; it's what controls it that's a different issue.
