Another idea for Apple would simply be quarantining attachments from unknown contacts. E.g. display that an attachment exists but don't download it to the device until a user accepts a "attachment from unknown sender" warning box
AFAIK all iMessage attachments (since iOS 14) are quarantined via BlastDoor, any such full system takeover must include at least two escapes: one from BlastDoor, and another from the application sandbox. They also need to cope with ASLR. It's pretty heavy duty even in the most basic default configuration.
