fwiw, it is most definitely possible to build an sd card that can exfiltrate its own data over wifi. in fact, that was the entire point of the Eye-Fi[0] product (though not with any nefarious intent).
though granted that's still a way smaller attack surface than what would be typically granted to a usb device.
I had forgotten entirely about Eye-Fi. Excellent point!
When it comes to physical access, especially with shared physical devices, there's always going to be some type of attack vector, however small it may be.
though granted that's still a way smaller attack surface than what would be typically granted to a usb device.
[0]: https://en.wikipedia.org/wiki/Eye-Fi