The HG612 and all those other boxes are quite capable of doing other things besides the "dumb" functions you expect them to be doing. For example the issue in https://aastatus.net/1854 had the HG612 apparently inspecting the data passing through it.
I think insisting that the modems, DSLAMS, ONTs and OLTs couldn't is lacking imagination.
I'm sure they could though the lack of any routing is probably going to be a problem.
That I have taken one apart helps, too.
There is configuration in my ONT to report telemetry to Huawei. It is disabled and relies on IP routing to get back there. This is not provided by Openreach and they're the only ones the modem/ONT can reach without modifying user traffic, which would be incredibly blatant.
The vast majority of Internet traffic is encrypted. It would take genuinely epic espionage to know which users are which without massive amounts of siphoning data off to Huawei.
When you get to that level it makes far more sense to attack single targets. If you're that interesting to a nation state they'll do various other things. Subverting provider networks massively will just get unwanted attention and be incredibly obvious. ISPs will get curious when they notice every subscriber connecting to a specific server.
ISPs do have quite in-depth telemetry on their customers and of course our security services have their little black boxes.