I don’t think you understand what the security boundary of iMessage is.
People’s phones got compromised by NSO sending images to them via whatsapp that used an exploit in one of the image libraries to run a malware payload. The security boundary isn’t about whether you can see your own messages, it’s whether bad people can root your phone by getting untrusted code to run. That’s a very different proposition if iMessage is a single codebase that they fully own end to end versus it has a plugin ecosystem. Having such a plugin system widens the security boundary by adding a much larger codebase that would require trust.
It doesn't need to be a plugin ecosystem - no third party code needs to run within the iMessage processes/sandboxes/containers. In fact, no third-party code needs to run at all on the phone - all that's needed is to expose an API over BLE that allows previously authorized external devices to query/send messages.
In defense of the "it's security!" position (which is not mine): I think they mean a similar vulnerability could exist on the client side of the API. As in someone sends manipulated media that targets a vulnerability on the third party device, the media gets forwarded through the API, now that compromised third party device does bad things over the API.
Personally, I think that it's really just a convenient third party lockout excuse, but the argument isn't quite as bad as it may seem at first glance.
> People’s phones got compromised by NSO sending images to them via whatsapp
Has this happened on iOS via WhatsApp?
I know Apple's had a view problems with this happening with iMessage, but always been unsure whether third party app sandbox does a good job of containing this?
No, that’s not true. NSO Group already has the means to send people spicy JPEGs all they want. Adding this would not significantly change their capabilities.
People’s phones got compromised by NSO sending images to them via whatsapp that used an exploit in one of the image libraries to run a malware payload. The security boundary isn’t about whether you can see your own messages, it’s whether bad people can root your phone by getting untrusted code to run. That’s a very different proposition if iMessage is a single codebase that they fully own end to end versus it has a plugin ecosystem. Having such a plugin system widens the security boundary by adding a much larger codebase that would require trust.