Hmm. The devinfo partition does indeed store both Pixel 6 IMEIs in plain ASCII. They can be found after "imei1" string and zero byte and after "imei2" string and zero byte respectively. Patching any of them in the devinfo image, regardless of whether or not /mnt/vendor/efs/nv_protected* files are deleted afterwards, causes the device to report both IMEIs as 000000000000000 to both the OS and the network (which shows "Unknown Unknown" in place of the phone model in the carrier's account page). Other places to properly patch the IMEIs in addition to the devinfo partition are still being researched.

The journey is still far from the end, but, according to some "experts" from the #GrapheneOS forum, even this couldn't be possible because, you know, ReGuLaTiOnS.