Then that is what should have been said. As written, it says that communication while offline is not only possible but a fait accompli.
Communication while not connect to the internet would require a device controller to have:
a) a tiny radio/cellphone built into the device (trivial these days)
b) logic in the device controller to relay data via the radio/cellphone
If these are present, every time the device controller reads or writes data to the drive, it could relay the data via the embedded radio device. Kind of James Bondian, but simple these days.
As far as motherboard memory, the device controller normally accesses memory on the motherboard to transfer data to and from itself. What memory it can access on the motherboard is defined by the protection mechanisms of the OS and hardware, i.e., what use the OS makes of hardware protections.
I’ve never looked into things from that angle; people familiar with OS kernels and system memory architecture would be the ones to ask about malicious device access to system and userspace memory.