I think I generalised a bit and didn’t explain well.
For upgrades, the NNS root
- stops the target canister
- installs the new wasm
- starts the target canister again
Between 1 and 2 NNS root waits for the target canister to be stopped and report this back. I think this should be the relevant code where this answer is awaited.
These calls are made to the management canister on the subnet where the target canister is. If the target subnet was dishonest, it could decide not to return the call and NNS root would have an open call context.
Of course we can now debate how likely it is that the target subnet is malicious - but the NNS has more nodes for more security and for this aspect the security would be reduced to the security of the target canister’s subnet (which has less nodes if the target is an application canister).