Any kind of connectivity has a potential to be exploited. You could say that TPMS is just a system that reports pressure back to the car, A one-way communication, no big deal.
But TPMS has been hacked to crash an ECU. If you can crash an ECU with a buffer overflow, you could also potentially run arbitrary code too.
CarPlay and Android Auto are a USB/Bluetooth connection to the Infotainment computer (which, in most EVs, are very closely married to the ECU of the vehicle, if not acting as the ECU itself). Those vectors can absolutely be probed for exploits just as any other kind of communication channel with the vehicle. Just because it was designed to be dumb, doesn’t mean someone can’t figure out a way to bypass the original intent and do bad things.
Of course, I’ve already given away the punchline in this case: The cars are ALREADY vulnerable to remote exploitation thanks to their LTE, WiFi, Bluetooth, and RF functionality. There’s a fairly large surface area to attack and see what happens. Adding CarPlay or Android Auto to the mix doesn’t really add risk to the situation.