Calyx is pretty insecure by default, it removes some default AOSP security features and is very slow to push security patches. And it doesn’t include any of the GrapheneOS security features like hardened SELinux, a hardened kernel, secure app spawning, hardened Chromium browser and WebView or hardware-based integrity attestation. It also uses a very flawed Google Play services implementation (microG) which requires root and has worse app compatibility.