http://www.ricoh-imaging.co.jp/english/products/oss/ i crawled the source code for a little bit.i think there are ways to get control over the camera through the sd card.for anyone interested:if you download the source code.there is a package called stubby. which is a bootloader and which seems to provide to read from sdcard...
Typically these things are locked down and require signed / encrypted binaries. See README.crypto in the stubby package.
If one could just build something and run it, someone almost certainly would have done so by now. Here's a discussion from 2017 on dpreveiw https://www.dpreview.com/forums/thread/4217301
Knowing the versions of the packages involved might point to known vulnerabilities i.e. search CVEs for busybox 1.24.1, but note some have been fixed with patches in the patches directory. If you have a camera with the older firmware or Ricoh allows downgrading, you might be able to get to a vulnerable version of something. Of course, many vulnerabilities may not be exposed in a way that you can access them on the camera.
Ricoh also offers a remote control SDK which might provide an avenue for exploitation, but it appears to be for Pentax SLR and medium format cameras. It's possible other models use similar protocols. It no doubt uses PTP, which could easily have vulnerabilities (Canon's implementation did https://chdk.setepontos.com/index.php?topic=4338.msg140923#msg140923
If the camera has a UART or jtag, that could be another avenue.
This story https://alexhude.github.io/2019/01/24/hacking-leica-m240.html
has some nice examples of the kind of analysis involved (for Leica, so not directly applicable)