Call me crazy but I find it highly suspicious that, of all cellphone brands, it's a Google phone that ends up being the most secure for things like #GrapheneOS
Discussion
Why? Pixel, like Nexus before it, are still provided as a development platform and baseline by Google as to what they think Android devices should be.
Unfortunately brands like Samsung that come close are hostile to devs/consumers by breaking their hardware through Knox and efuses when the bootloader is unlocked. Other OEMs cut even more by not offering any parity in regards to security focused hardware and reducing it from said baseline.
If other OEMs provided the same or better hardware and alternate OS support then supporting them wouldn't be a problem. However the question is usually misdirected as to why we don't support other devices. The real question is, "Why do they not support us?"
I've come to distrust Google entirely with their appetite for data, user fingerprinting and profiling, and willingness to play along with government overreach, and I'd be surprised if they were the ones who made the only truly secure hardware that would undermine those appetites. No backdoors? Nothing? Perhaps I'm paranoid, but I don't like them regardless. It just doesn't line up for me that their hardware is safehaven.
We carefully consider our hardware choices and is a part of why we use Pixels. They are a lot more trustworthy than the vast majority of Android devices. Part of why they're more trustworthy is because they have a ton of external security research and are friendly to it.
No smartphones are open hardware. Pixels aren't open hardware. However, they do have a lot more open source code for the firmware and even to a tiny extent hardware than most other phones. For example, they use the open source Trusty OS as the basis for the TEE and secure core.
They use the open source Open Titan as the basis for the secure element. We hope they follow through on the promise of that by fully opening the device-specific sources for these components, and other ones. It'd be quite useful since we could use it when working with another OEM.
A sophisticated attacker doesn't need a backdoor. They can and do exploit vulnerabilities.
Google Project Zero recently decided to help secure Samsung cellular modem used by Pixels via offensive research. In a few months, they developed multiple remote code execution exploits.
If your concern is a sophisticated state actor, then clearly they can develop remote code execution exploits for relevant firmware and software. It doesn't actually make sense for them to try to add backdoors because they can use the front door: the many serious accidental bugs.
The benefit of using GrapheneOS on top of all that is that you increase your protection against persistence as well as the escalation of those using an RCE to exploit the OS where they'd need a further exploit to do so.
Nobody has yet claimed to have done so and GrapheneOS is a high value target just like the Pixel.