Really? The cellular network (possibly) knows, by triangulation, but the chip itself can not determine it. It has no access to GPS or wireless. Ultimately, of course, it means that the provider knows your approximate position, if you don’t turn it off. And as you said that wouldn’t change if the firmware was free.
From the campaign page:
The mobile baseband will most likely use ROM loaded firmware, but a free software kernel driver.
I would assume that the firmware / driver interface is rather low-level. Maybe that even includes the possibility to know the commands exchanged between SIM, modem and tower? Either way, I agree, there is probably not much interesting to be found, because every action (that can not already happen on the network provider side) that could constitute spying or manipulation would require the kernel driver to cooperate.
One possibility that I find interesting (and I’m pretty sure we could have), is to have access to detailed statistics on the cell towers. Lacking proper authentication, you could at least monitor that data for anomalies. (If the cell tower, that you are connected to while also being connected to your home wireless, suddenly sends at double intensity, you might want to check if there’s a van with dark windows in front of your house, mimicking a tower. Perfectly disguised with the imprint “Vote John Doe. Your man from the middle” )
Or, a bit simpler: Whitelisting based on meta-data (which probably only works if the potential spy doesn’t expect it) “Connecting to an unknown cell tower. Deny - Allow - Allow always”