The firmware update requires a transmission channel. It can be either local serial link, ethernet, wifi, cellular. The SBSFU solution provided on STM32L5 ensures that code executing this transfer is running on non secure side of the TrustZone. So, any attack, local or remote will not be able to get secrets. Then when update file is transfered, its authenticity is checked before installation making this a secure update. You can have a look to our STM32Trust security MOOC videos for more explanation and also to AN5447 "Overview of Secure Boot and Secure Firmware Update solution on Arm® TrustZone® STM32 microcontrollers"
