Are contemporary Android face-recognition implementations fully executed inside a Trusted Execution Environment (TEE)?

The AOSP biometic guidelines state that for class 2/3 biometrics: > Biometric acquisition, enrollment, and recognition must occur inside > the secure isolated environment to prevent data breaches and other > attacks I can see this being feasible for fingerprint-based biometrics. But I'm quite surprised that the entire process of facial-recognition on for example, a Samsung smartphone is all happening inside the TEE. That would presumably mean image capture, detection of features, preprocessing, biometric template generation has all been ported to what I'm assuming is a resource-constrained environment, yet it typically runs within a fraction of a second. I'm wondering if anyone can shed some light on this niche area and confirm whether all the processes in the pipeline occur in a TEE, or whether there is in fact a hybrid system wherein some image processing is happening outside of the TEE.