Does a compromised kernel give complete control over a device?

Running code in "kernel space" means running it in the ring 0 space. In other words, it is the strict definition of "having total control".

The only exception would be if you are running a hypervisor. In such a case, running code in ring 0 of the virtualized OS would "only" give you full control of the virtualized device, not the hypervisor (which is said to be running in ring -1) it is running on. You would need a separate escape exploit to get to that.

Would that give an attacker complete control over the phone? For example, could they install a keylogger or other malware?

This is possible. Since any permission checks (i.e. file access, access to keyboard...) are done inside the kernel, code running inside the kernel could invoke the needed actions simply directly without executing these checks.

Would it allow a compromised device to perform an OTA attack on other devices in the same way (becoming a worm)?

It might be possible that some actions need kernel access, like the ability to create manipulated network packets which can be used to compromise a different device. But this does not mean that you always need kernel access for such attacks, i.e. root access is usually enough and sometimes even a normal user process can do it, depending on the exact attack.

Are these concerns mitigated by other security features, such as SELinux, dm-verity, etc?

Once the attacker has kernel access these techniques don't help. But they might help so that the attacker does not get kernel access. But if they help or not depends on the exact attack vector. For example they don't help in case of the recent vulnerability in the Broadcom network driver which could be triggered by specific network packets.