A dongle has a binary blob, but it's limited to the dongle itself -- it won't most likely be able to transverse the USB pipeline and get access to system memory / processes unless there are vulnerabilities in the USB transfer itself. I can also remove the dongle from the devise and know that baseband is off -- not so if the processor is on the phone itself.