Need to restrict the allowed USB devices on the modem bus
The modem as the untrusted part of the system, must be resticted to a whitelisted set of necessary functionality, e.g. serial USB device, a certain PID/VID.
Since the modem may be malicious, that would restrict the attack surface area available to it. Even if it's found to pretend to be something it isn't (input device, booby-trapped filesystem), it wouldn't be able to do much damage.
Some of the same precautions apply here as with untrusted external USB devices, although the device has more information in this case, and the way of letting the user know about irregularities should be different here.
Credit to a random internet stranger's post reminding me of this.