Modern Android/Qualcomm phones have pretty sophisticated security architectures that do indeed isolate the baseband, partly because exploiting baseband bugs was such a common source of phone unlocks in the past. If an app is using SSL then the baseband can't read what's happening.