It is correct what you are saying, but when I were to ask you to give a guess how much % of cryptocurrency wallet users use a hardware wallet or a wallet on airgrapped device, what would be your guess? I believe that number may not even be double digit. If you take trust wallet as an example, Pegasus should be able to crack that or not?
Spyware is capable of stealing any information on your devices, it can reveal the information on your device to hackers that can steal bitcoin, it can even be beyond only stealing Bitcoin, it can steal anything on ones device.
Trust wallet is even a close source wallet, even if its source code is having malware like spyware, who is going to know than the developers? Nobody. Also spyware can be able to know a lot of activities on you mobile or desktop devices. The best is to just avoid malware which will a lot be helpful. Visit only legit URL, you can have anti-malware for protection, use ad blockers and follow all ways that can protection your device from malware.
But there are massive programs where state authorities have the right to infiltrate mobile devices and laptops via other ways. I read that in Germany there was a discussion that mobile service providers were once suggested to be part of an operation where they infiltrate mobile phones with a state controlled virus at scale. They even wanted to include email providers in that program, but they protested against it and now they found another solution. Mass surveillance is not going to be a Chinese thing only.