GrapheneOS specifically is probably fine when it comes to DRM. They sign their builds with keys that only they posses, so any custom forks would not get the advantages running an official version of GrapheneOS would gain if they were to pass the hardware verification API.
News outlets like to group projects like GrapheneOS and LineageOS together as “custom ROMs”, but GrapheneOS is much more than that. And in all honesty, some of the stuff LineageOS pulls to get their software working on some models shouldn’t be passing any checks. The projects released on forums like XDA are particularly bad, some of those will even disable Android’s security sandbox all together because it’s hard to make that work as intended.
Obviously, custom ROMs should not be trusted by apps where hardware security is essential. However, in cases like GrapheneOS, it’s hard to defend putting hashes of old, abandoned firmware with dozens of kernel exploits on the whitelist, but refusing to put GrapheneOS on there as well. Especially as GrapheneOS is more secure than Google’s own ROM, according to forensic hacking company Cellebrite, which can’t hack Google’s phones with Graphene but can get in with Google’s original software.