Yes, more precisely the data in question is constructed in a way prescribed by the CMAC/CTR/CBC modes which are standard secure operation modes and that is what makes this specific
application of ECB secure.
I am not sure what you mean by “internal implementations”. If you mean
Issue 8617, it is just an idiosyncrasy of the API that the context is set up with ECB mode. The operation performed by the mbedtls_cipher_cmac_* functions will be still CMAC. This will go away in
4.0 and the only way to do CMAC will be the
PSA Crypto API (which is already available in all supported versions, and) which doesn’t reference the ECB mode at all.
Cheers,
Janos