Clarification and/or source? Any device is at risk when in the wrong hands.

Even on devices that have fallen out of support, protections against PIN and other input attacks are far stronger than stock AOSP and the cost requirement to attack unsupported devices with GrapheneOS on them is still fairly substantial.