GrapheneOS and its predecessor CopperheadOS are AOSP derivatives.
CalyxOS is a fork of LineageOS.
Our further comments are impartial even though we have a business involved with tailor made closed source secure O/S and application ecosystem development.
We are not going to discuss security of AOSP and it's derivatives vs iOS vs Ubuntu touch and similar.
Security is a result of preferences - a choices and decisions. Regarding O/S development, we must differ original contributions vs simple changes of present code and rebranding those.
GrapheneOS advertizes certain features as comparative advantages
Overview of GrapheneOS features differentiating it from the Android Open Source Project (AOSP).
grapheneos.org
We'll offer an analysis for a glimpse.
The password maximum lenght is an arbitrary value in AOSP source code with default
MAX_PASSWORD_LENGTH = 16
The number 16 can be changed to any other value, up to the maximum value for a 32-bit signed integer which is 2.147.483.647.
The default number of user profiles is 4 in AOSP, where GrapheneOS simply changes that arbitrary value in "default.xml" and "config.xml" in source code with 32.
The encryption is an AOSP default, FBE (file based encryption) with identical cryptographic primitives.
Regarding sandboxing, there is no difference between AOSP, LineageOS or other derivates compared to GrapheneOS. By installing Google application ecosystem on GrapheneOS in advertized sandboxed manner, the end user defeats the purpose of his original intent to use supposedly O/S that offers security and privacy.
By changing Google's services and servers for location, the end user simply switches one dependancy for another.
As we test every competitor's product on forensic platforms both our in-house and commercial ones such as Cellebrite, we know from which vendors and commercial or open source O/S platforms is possible to perform (forensic) data acquisition.
Quite unfortunately, it is possible to compromise GrapheneOS, CalyxOS and LineageOS platform with spyware and perform separate data extraction. We assume that specific set of both vendor and user preferences downgrades effective security.
We'll offer selected resources regarding security, privacy and anonymity in time to come.
