It's the job of the operating system to control what applications have access to. The firmware does not need to override anything. The OS should either implement a phone component or delegate to a phone app that has been configured to have phone permission.

Binary blob completley-isolated firmware is possible and simple to implement. It's also safe.