The problem with this is that so many apps use Google Play Services. If I didn’t want a phone that used Google, I wouldn’t use an OS that bent backwards to make it work.
GrapheneOS doesn’t “bend backwards” to make apps relying on Play Services work. Sandboxed Google Play is highly compatible and all you need to do is install the apps, just like you would any other apps. The argument that since many apps require Google Play Services, you should use stock OS where they have privileged access rather than being sandboxed doesn’t make a lot of sense.
The sandbox model is OK in theory, except when your bank app asks for permissions for microphone, camera, contacts and files, and refuses to start without them.
The app model is a bit broken IMO and GrapheneOS both enables and perpetuates it.
Apps installed on operating systems that don’t have a sandbox and thus a permission model get access to straight up everything. Your scenario is exactly why GrapheneOS features contact and storage scopes; as an alternative to the regular permissions for more granular control. You can grant an app only a subset of contacts/files or nothing at all, the app won’t complain since on its end, everything’s been supposedly granted. There are more planned features to address other permissions in a similar way. Furthermore you could put it in its own little box via a secondary profile (you can have up to 32), and have that only run when you need it.
I might be being a bit naïve here, but Android 14 came out in October, 4 months prior to LOS 21, which is not particularly long. Android 13 is still supported by upstream. This sounds a bit like running RHEL or Debian vs bleeding edge Arch, no? It’s a common debate whether RHEL systems are constantly out of date, the counterargument being that vulnerabilities are often found in new software versions. Without real statistics about security vulnerabilities over time it’s difficult to make an informed decision about software version policies.
4 months without proper patches to known vulnerabilities is very long. Previous versions of Android aren’t properly supported; they only receive a subset of patches, not nearly everything. In fact, not even Android 14 is currently getting full patches. At the time of writing, for a device to be properly patched, it must be on Android 14 QPR3. It’s why we put great care in porting everything over as quickly as possible. You don’t have to make guesses about vulnerabilities, you can simply look at all of the known vulnerabilities that haven’t been patched yet, or will never be patched, in previous Android versions. It’s not a matter of “what if”, it’s what’s actually happening.