Well, if we're going to be paranoid about it, how would you know?

Any self-respecting rootkit would hide itself, and that's even before considering aegis. You could inspect the firmware image on an independent computer running trusted software, but even if you don't find traces of the rootkit there who's to say that it doesn't get downloaded behind your back the first time you go online? In fact who's to say that the code that spies on you has to run on the application processor at all?