Whenever you see 0days reported by someone from Threat Analysis Group it means that Google (TAG is a team within google) used some advanced detection technique to discover someone, usually a nationstate, "in-the-wild" exploiting this.
Reading their blog gives insight on how they find these. For example, for CVE-2021-30869 they discovered on a "watering-hole" website (i.e. some group in china hacked a hong kong protesting website and hosted an 0day on it to exploit protestors' devices). I'm guessing Google has methods to scrape the entire web looking for these browser exploits
On a brighter note, apple is currently in the process of converting almost all iMessage components to Swift for this reason. I'm sure it is taking many engineering hours, and image parsers/open source libraries like this are the most difficult to convert.
Just one component, the one that parses incoming messages. The problem here is that it parsed the message and decided to pass it to ImageIO, which is written in C++.
The image parser uses ASLR. The turing complete NAND computing device they describe in the article was used to do computations on the pointers leaked with the infoleak, resulting in an ASLR bypass. Brilliant.
Reading their blog gives insight on how they find these. For example, for CVE-2021-30869 they discovered on a "watering-hole" website (i.e. some group in china hacked a hong kong protesting website and hosted an 0day on it to exploit protestors' devices). I'm guessing Google has methods to scrape the entire web looking for these browser exploits