So the phones might be great, but there are certain members of the campaign that are gonna want to use specific apps and will gleefully grab their personal phone with their accounts synched that can still be phished.

A campaign is not running exclusively on high security embedded systems. So while a secure os could be used in some parts of the process there are a number of other vectors an attacker can take.