Subverting it requires subverting the bootloader sequence, which starts with code in on-SoC ROM, which is nearly impossible to modify, and I add the "nearly" only because nothing is impossible; I sincerely doubt that any agency is able to modify silicon without destroying the CPU and I'm quite certain that if anyone can it's a very closely-held, and therefore rarely-used, secret.
Oh, no. If they can do it, then how often they do it will be limited only by budget.
It will also be limited by not wanting to reveal that they have the capability. Per a former-NSA colleague of mine, that is often the more stringent restriction.
But I'm more concerned about back doors. How do you know there aren't any in there?
I'm fairly certain there aren't any in the Nexus 6 or Nexus 9 low-level boot or hardware security code. However, there certainly could be in firmware blobs. Those run in non-secure mode, but all your data is also accessible from non-secure mode.
That said, the Android security team pays pretty close attention to exploits in the wild, so if there were something like that being exploited on a large scale, I think we'd know. Exploits that are used only for so-called "targeted persistent attacks", whether by criminal organizations or government agencies are a different story, of course, but those simply aren't relevant to most people.
And I'm also somewhat concerned about security flaws. Sometimes just connecting things in nonstandard ways bypasses security measures.
Sure, that's why I said "the next option is to exploit some defect...".
The next option is to exploit some defect in the implementation of the bootloaders and/or fastboot (or in the case of intelligence agencies, even to implant a defect to be exploited). This is probably the best avenue of attack, but it's not easy because the code in question is relatively small, and should be closely scrutinized. Most of it is not open source, though, so scrutiny is limited.
Another fine place for a back door, though, and still not that unlikely that a flaw will exist there. The critical code paths should be sufficiently short that it's worth disassembling them.
You seem to be restating what I just said :-)
The final option is to ignore all of the above and simply attack the hardware. Remove the flash chips and install them in a custom device which reads out their contents. This threat is what device encryption exists to mitigate.
Well, I'm strongly in favor of encryption. But I still don't trust the hardware, so I don't trust my phone to keep secrets.
Keep what secrets from whom? If the NSA is really your adversary and they're specifically targeting you, you're simply screwed. Seriously, give up now. My goal is to ensure that your device is secure against (a) remote network exploits, (b) locally-installed software and (c) hardware attacks of moderate sophistication. (c) definitely includes "I lost my device and some clueful hardware engineer found it".
Assuming you're running up-to-date software (yeah, much easier said than done, I know), haven't done anything yourself to compromise the Android security model (e.g. running around with an unlocked bootloader) and have a reasonably-good password and an encrypted file system, I give you high odds of being perfectly safe against (a), (b) and (c).