Cheap smartphone path is harder and harder. Unfortunately the pixel series is easiest but comes in double they number for unlocking the bootloader and flashing lineage, etc.

Xiaomi has been ironically the pioneer in this field, but their phones are inaccessible in the USA assuming you’re USA based. The mediatek chipset also is more fun for this over Qualcomm.

Besides suid binaries, the radio firmware and subsequent radios for WiFi and Bluetooth do give out a lot of information and are open to exploitation.

The most opaque and privileged attack surface is often the modem/baseband and vendor diagnostic stack and allow carriers to process local side AT commands.

Qualcomm is more documented, though there are fun discoveries on mediatek I’ve made just using binwalk.