On Android at least, there are three areas that are relevant to booting:
- The kernel and initial RAM FS (initramfs) that start immediately after the bootloader. This sets up hardware, detects filesystems and starts your phone
- The system partition, that has the entire operating system.
- The data partition, which is encrypted.
The first two are unencrypted, and if the phone has not been rooted/unlocked, only trusted updates from the vendor can be applied. The bootloader and recovery system enforce this, typically using digital signatures. As such, they can be updated without needing to be decrypted first.
The data partition does not need to be available unencrypted for system/ROM updates to be applied. Since these are read-only during the phone's normal operation, the contents are both well-known (anyone can inspect the contents of updates) and cannot be written to, so will not hold any secrets.