I think the author meant that they do the monitoring, but are unable to send the information anywhere. I don’t know what use that would be. They could store it in secret files and send it later, perhaps.
A software application can only talk to the operating system.
System software that talks to devices is called a device driver.
Your OS talks to devices through the drivers.
A hard drive is not just a hard drive - it has a controller. The controller is a computer itself ! It has its own local memory and processor and programs on its chips. It’s the circuit board you often see on one side of a hard drive.
Your operating system device driver talks to the controller, not directly to the hard drive. The controller reads and writes the disk and writes its results back into the memory on the computer motherboard so the device driver can see it.
Obviously, if the hard drive controller has malicious code in it, your operating system is quite limited in mitigating that, since your OS is simply talk to the hard drive controller and accepting what it gets back from it.
Of course, an OS should be designed to make sure that hard drive (and other devices) controllers (which have access to motherboard memory) are limited to only accessing the memory that the OS device driver gives it to work with.
Since malicious hard drive controllers were historically not something people in the real world thought about much (if ever), operating systems probably are not really hardened to defend against malicious devices.
It’s actually quite difficult to do that, actually, as the OS would really want to be able to fully inspect all the memory on the device controller so it could validate both code and data that resides in the device controller’s memory. Of course, the validation software must not be compromised then in order for that to be reliable.
As soon as you copy anything to a thumbdrive or maybe even a DVD and put that device into a connected computer...