That’s true on modern Android even with root. The active OS partition can’t be modified while running, and updates install to the inactive slot. If the bootloader is unlocked, malware could theoretically act as an updater and install itself to the inactive slot, but I’m not sure that has been seen in the wild.
It’s theoretically possible to have a locked bootloader and root. That requires a device with a re-lockable bootloader like a Pixel, and a ROM that has root support built in to the signed image.
Non rooted phones usually have read-only OS partition so even if malware is present, it can’t affect the OS itself
That’s true on modern Android even with root. The active OS partition can’t be modified while running, and updates install to the inactive slot. If the bootloader is unlocked, malware could theoretically act as an updater and install itself to the inactive slot, but I’m not sure that has been seen in the wild.
It’s theoretically possible to have a locked bootloader and root. That requires a device with a re-lockable bootloader like a Pixel, and a ROM that has root support built in to the signed image.