Even resident firmware is of some concern. Whether the device has firmware loaded or firmware permanently resident, if that firmware is closed source then it is unable to be audited and hence it may be trusted but it is not verified. So the device itself retains a level of untrustworthiness. That’s just where the world is at right now - and it applies to every computer, not just the Librem 5.
As others have commented, being unable to update the firmware is a two-edged sword.
and that is good but it is as good as it gets right now.
For radios it may not matter so much because a) you are going to broadcast the traffic for anyone to receive, and - for the modem - b) it is going to be received by an untrusted party (the telco / the government). Ideally therefore you are running end-to-end encryption for the traffic over those radios.