Companies of this business model are highly secretive and the amount of victims for such attacks isn't fully known since it depends on heuristics or TTPs used by the exploit during that exploit's period of not being exposed, there can always be more and it's not accurate to tell. It is almost certain such malware of its kind exists for iOS and the stock Android distributions. How that exploit is delivered also can vary and has a dependency on a user using a certain service or app, one example being WhatsApp.
Majority of GrapheneOS features and exploit protections like hardened_malloc and MTE are designed for protecting the user against memory corruption vulnerabilities. Memory corruption makes up the majority of critical vulnerabilities exploited in the wild because of the capabilities exploiting it can bring. There are many features users could opt into using as well.
For an exploit of its class to work on GrapheneOS, it would almost certainly have to be designed for GrapheneOS. This can be difficult to maintain due to regular updates and new features/enhancements of the OS or even the apps.