From the BBC article:
" But the researchers said they had also flagged a sixth problem to Apple, which had not been rectified in the update to its mobile operating system.
“That’s quite unusual,” commented Prof Alan Woodward, a cyber-security expert at the University of Surrey.
“The reputation of the Google Zero team is such that it is worth taking notice of.”
The Project Zero team was established in July 2014 to uncover previously undocumented cyber-vulnerabilities. It has previously alerted Microsoft, Facebook and Samsung, among others, to problems with their code."
Note they advise any tech company so that vulnerabilities can be patched. Some teams are just out there to help, as it benefits them, their users as well as the competitors.
We are withholding CVE-2019-8641 until its deadline because the fix in the advisory did not resolve the vulnerability
— Natalie Silvanovich (@natashenka) July 29, 2019
And trust me I too am hesitant to say the least about Google and some of it’s practices, I just don’t fault the Zero team for their work.
If you read the patch notes at https://support.apple.com/en-gb/HT210346 it acknowledges the Google Zero Team among other acknowledgements of other problems by other researchers.
The one not successfully/fully patched accordding to Google Project Zero Team is this one:
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation and later
Impact: A remote attacker may be able to cause unexpected application termination or arbitrary code execution
Description: An out-of-bounds read was addressed with improved input validation.
CVE-2019-8641: Samuel Groß and Natalie Silvanovich of Google Project Zero