If our funding and manpower was unlimited, GrapheneOS wouldn't be using the Linux kernel at all, ideally something akin to a microkernel with a hypervisor written in a memory safe language like Rust. We'd then have an Android compatibility layer to run the apps. Android userspace already provides a lot of the safety by apps being developed officially in Kotlin or Java.

Linux kernel security flaws make up a lot of Android issues and are what ends up getting exploited in the wild by companies like Cellebrite. The Linux kernel itself is the biggest security liability. Having a more secure base means less hardening work. There was a post I made a couple months ago about Linux kernel (and Android specific) vulnerabilities that Android didn't fix but GrapheneOS had.