AIUI, they didn't inject code, just mangled the stack to hijack the execution flow towards specific code fragments ("gadgets") already in the executable memory.
Yeah some devices support PAC use that feature to sign return pointers. But not everyone uses it (even when available), and there exist methods to bypass PAC— from attacking the micro architecture to finding signing oracles.
PAC (pointer signing) & Branch Target Identification are not available on 32 bit arm chips, and judging by the assembly in the blog post the Titan M is a 32 bit chip.
There's multiple mitigations, including some compiler passes IIRC. But the pointer auth hardware ones defined by ARM were probably specified after Titan M's original design.
I thought I read the whole thing. Did I miss that explanation?