If people want open devices they should maybe better explore open hardware. Im not talking about devices, like Librem where the schematics are open but the chips, which are the parts which do all the work, are all closed, but rather devices with open silicon.

GrapheneOS does not include any of the Google apps that implement Play Protect. You can install them, but they run in the sandbox like normal apps and so are not highly privileged. They are unable to block installation of apps, install apps or uninstall apps as they are on stock Androids

There are various apps that either connect directly to an IP address or do DNS resolution themselves to sidestep this kind of blocking. Rethink lets you stop apps making these kind of connections bypassing DNS and whatever DNS filtering you have set up to control their connections

Here is a recent report of widespread advanced malware looking to see if a device is rooted - https://www.lookout.com/threat-intelligence/article/badbazaa...

Here is a report of malware using root - https://zimperium.com/blog/new-advanced-android-malware-posi...

Root does not only provide privilege escalation, it also provides attractive options for exploit persistence on a device, something which is difficult to achieve on modern Android and iOS.

Having bootloader locked you get verified boot, big security benefits and automatic healing of operating system files damaged by the drive degrading.

Compatibility with carriers also improved a lot a few years ago. Configurations for most carriers are pulled in from the stock Pixel OS. Some US carriers do weird things that depend upon having highly privileged apps bundled into the OS which, for security reasons, GrapheneOS doesnt include. I dont recall AT&T being one of them.

GrapheneOS is very usable and fine as a everyday phone for normal people.

Encryption on Android devices has changed over the last few years, introducing the possibility for File Based Encryption FBE, later making in mandatory. File based encryption enables apps to use keys to encrypt their data that are flushed when the screen is locked. Many security concerned apps like password managers and OTP apps make use of this.

If you feel the need you can use 'multiple users' to create an extra user or use a work profile (Island, Shelter, Insular) to keep sensitive apps and data. These have seperate encryption keys that are flushed upon switching off the work profile or restarting the phone (for multi user). You can still use the main user on the phone with the work profile/multi user encryption keys not held in memory.

When they were still publishing their sources they were often lagging months behind with basic AOSP security updates. Still not updated to Android 11 yet, 2 months since it was launched, which, as they support Pixels, means they now have 3 monthly updates worth of device specific security patches that can't of been applied.

GrapheneOS moved to 11 in September, not so long after it was released by Google