There are a whole bunch of separate concerns in this text.
1. Everybody always knew that the modem would be a blackbox and hence unverified and indeed unverifiable. This is why the modem is in various ways separated from the main system in the Librem 5. This is why the modem can be killed.
This has nothing to do with whether the modem is manufactured in China, the US, the EU or anywhere else. Modem manufacturers generally choose to keep their source to themselves. That is unfortunate and true.
The assumption in the Librem 5 is that the modem is untrustworthy and hence why in theory you can use the modem purely for internet access and place your calls securely over the internet. That means that the modem has no visibility of whether you are calling, whom you are calling, how you are calling.
How much of the above you embrace depends on your threat model.
2. There is always a concern that an individual company may be compromised by a government.
Some people assume that a company is more likely to be compromised by the government of the country where the company is domiciled. While there is some merit in that assumption, it is only an assumption and it is false that a company will never be compromised by a foreign government.
On this basis though some people would not trust a Chinese modem while they would trust an EU modem.
There are limitations to how logical that is but it’s a choice (when it actually does become a choice!) and you can go whichever way suits you.
3. Pegasus is a whole different ballgame.
Whether it is accurate that Pegasus exploits the modem I don’t know. I suspect this is not accurate (having read some fairly detailed discussion linked from this forum q.v.).
In mainstream phones the distinction is mostly irrelevant anyway because the modem is wholly integrated within the overall phone. Exploit the modem part of it or exploit the kernel, it doesn’t really matter. You are toast either way.
What we do know is that Pegasus exploits security vulnerabilities. Noone on any phone wants security vulnerabilities but the exploited vulnerabilities are presumably unintentional and that is quite different from intentional vulnerabilities inserted by the company voluntarily for their own purposes or inserted by or on behalf of a government.
You can bet that Linux-based phones will from time to time have their own unintentional security vulnerabilities. If Linux-based phones get enough profile and usage, you can bet that those vulnerabilities will show up in the Pegasus toolbox. (It doesn’t matter that Linux vulnerabilities are generally fixed in a timely fashion because there are enough slackers who don’t keep their phones up to date. It is still worthwhile to probe for vulnerabilities for which a fix has already been released.)