At some point digital security turns into physical security, and there are national security interests that have fine-tuned their detection logic on these kinds of "buggy" behavior.

If you patch it, you'd need to find another way to de-anonymize those users.

So, somewhere, some government or organization might want to blow the user into kibble, and that's an important use case?

I feel like this should be toward the top of the terms of service for the phone, even above the mandatory arbitration clause.