The exploits come in a nice box (physical box with phone connectors), and sadly, the answer could be yes at the bigger checkpoints (depends on whether they shelled out $$$ for the box).
Odays often have a finite lifetime. Once you have bought an exploit you may as well use it. Cellebrite and Greycode produce reliable and surprisingly functional gear. Apple and other vendors obviously try to discover what exploit is being used, and exploit vendors try to hide the technique. I suspect this is why sometimes the device is never returned.
Generally I wouldn't characterise the customs people as goons. Like most LE jobs they see some nasty stuff. I'm talking paedophilia and violent pornography. They also deal with some really sketchy characters and if you trigger that detection you are definitely getting extra scrutiny.
