The quote seems to imply that if the watch receives the payload from any source, even without a compromised AP, it'll pop the shell.

The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit.

It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel.

You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS.

Let me know if I'm misunderstanding the quote.