Technical probability of Tails OS persistent attack : OpSec | Torhoo darknet markets

Curious about the probability here. I think the probability of a persistent attack on Tails is close to 0.

Set up is Tails OS with luks2 encrypted USB. The USB is unlocked for the duration of my Tails session and is used like persistent storage.

Lets say the network I am using is compromised, so either a cellualr network or a wireless network is compromised. Let's see what can the attacker do:

Everything is tunnled through TOR so they can't do a DNS redirect and serve malicious JS.
(Lets not entertain the possiblity of compromised TOR node. Not in my threat model)

What other LAN attacks could exist here? Can't think of anything likely given how Tails deals with local traffic.
Assume that I'm never using untrusted Browser.

Even if TOR browser is compromised somehow from a targeted attack, assuming there is a 0 day in Tor Browser. Sandboxing via AppArmor is pretty tight so it would be hard to get access to the open USB drive.

Even if attacker has access to the USB drive, they'd have to include an "tails specific" executable that runs everytime the USB is unlocked. It would have to be a hidden binary.

How could they even get it to auto execute? Not sure if this is possible without malicious persistence at Tails OS level which is ofcourse not possible.

I'm curious to know what are the possible "persistent" attacks against Tails? I can't think of any.