Yes, it is my understanding that GrapheneOS's attestation feature would detect such tampering. It verifies the entire OS installation's integrity through hardware-backed security, checking the bootloader, firmware, and OS installation itself. Even if malicious code were injected during data transfer, the system would detect unauthorized modifications because it relies on secure hardware verification rather than just software checks.

This does not apply to third-party apps running on top of the OS, though GrapheneOS does support Play Integrity API and SafetyNet Attestation API for app compatibility.

For third-party app security, you would need to rely on:

- The app's own security measures

- GrapheneOS's sandboxing features

- Regular security updates

- Careful permission management

I would be less concerned with Google injecting anything into GrapheneOS through a standard new device data transfer wizard—unless you're on a significant watchlist and your phone is already compromised, in which case attackers have more subtle methods at their disposal.

I'm more concerned with an unaudited GitHub app. Even with open-source code, few people review it thoroughly, and malware frequently appears in open-source repositories.