The largest attack surface against TF-A is the drivers, as they interact with untrusted external hardware. It should be possible for most of these drivers to be de-privileged so that they run in NS-EL1 (or even NS-EL0) and have access only to the hardware they are driving. DMA attacks will be prevented using SMMU, TrustZone, or the ARMv9 Granule Protection Check.