I used to be a hobbyist dev of a ROM back from Android L-O, and left to start a professional software engineering career. I recently re-joined the hobby with the release of Android 12, and Calyx OS was new to me, so I ended up taking a look at their code repos.
Tl;Dr: If you want a privacy-focused no-compromises fork of Lineage OS, and the default hardening Google performs on their platform is enough for your personal threshold of safety (this is where most custom ROMs settle), Calyx is probably a good choice. If you're concerned about novel security vulnerabilities (read: more paranoid/vulnerable than most) affecting your device, choose Graphene.
Privacy-wise, Calyx is basically Lineage with most of it's headline features being provided via LOS or third-party apps available on F-Droid. It does a good job at de-Googling your experience and has good privacy-focused default settings and apps. I like the custom location provider. Their egress firewall feature is a nifty improvement on top of LOS's original implementation of a similar feature.
Security- and hardening-wise, it's not much better than Lineage, which isn't much better than AOSP. Zero to little runtime or kernel hardening to be found. Graphene, on the other hand, puts the effort into hardening as many aspects of Android and the kernel as possible. Graphene has a custom hardened `malloc` for helping prevent memory safety exploits, a hardened libc, toolchain, and app runtime, among all sorts of other difficult but valuable security changes. Functionality-wise: almost anything Calyx can do, Graphene can do with some F-Droid apps to help.
This might seem a bit harsh, but the reality is that Graphene has some a large number of deep security changes upon AOSP that Calyx isn't yet up to par with. As we've all seen, security in 2021 is difficult, and it takes decades or a lot of specialized experience to be a security expert. It's difficult enough for large companies to hire and retain security talent, and for hobbyist projects/small organizations even more so.
Does everyone need a hardened runtime? Probably not. Are there people who do and/or want one? Definitely
Edit: one concern of mine about Calyx is their bundled VPN serviced by Sprint (as per https://calyxinstitute.org/legal/terms-of-service). Third-party VPNs are always to be taken with a grain of salt for privacy depending on your activities online and the VPN's owners themselves. I suppose it's better to have a VPN than not, but you must also trust that party and their security with your highly valuable network traffic, which should be a very high bar. Obviously, nothing limits you from loading up OpenVPN, IPSec, Wireguard, etc and going your own route.
Some of them are separate projects (eg. hardened malloc), also many of the implemented features later got merged by upstream AOSP itself. I think some independent audit also happened, but not sure about the details.
Nonetheless, the project has an absolutely stellar track record, where the main guy behind it even revoked the signing keys of the OS upon a failed for-profit company overtake attempt. The project doesn’t accept any for-profit company offers since then and is independent and open-source.
For the readers: the aforementioned "takeover attempt" has never been substantiated or validated. Using the past (and rather trite) CopperheadOS dispute to justify present misgivings is disingenuous.
Tl;Dr: If you want a privacy-focused no-compromises fork of Lineage OS, and the default hardening Google performs on their platform is enough for your personal threshold of safety (this is where most custom ROMs settle), Calyx is probably a good choice. If you're concerned about novel security vulnerabilities (read: more paranoid/vulnerable than most) affecting your device, choose Graphene.
Privacy-wise, Calyx is basically Lineage with most of it's headline features being provided via LOS or third-party apps available on F-Droid. It does a good job at de-Googling your experience and has good privacy-focused default settings and apps. I like the custom location provider. Their egress firewall feature is a nifty improvement on top of LOS's original implementation of a similar feature.
Security- and hardening-wise, it's not much better than Lineage, which isn't much better than AOSP. Zero to little runtime or kernel hardening to be found. Graphene, on the other hand, puts the effort into hardening as many aspects of Android and the kernel as possible. Graphene has a custom hardened `malloc` for helping prevent memory safety exploits, a hardened libc, toolchain, and app runtime, among all sorts of other difficult but valuable security changes. Functionality-wise: almost anything Calyx can do, Graphene can do with some F-Droid apps to help.
This might seem a bit harsh, but the reality is that Graphene has some a large number of deep security changes upon AOSP that Calyx isn't yet up to par with. As we've all seen, security in 2021 is difficult, and it takes decades or a lot of specialized experience to be a security expert. It's difficult enough for large companies to hire and retain security talent, and for hobbyist projects/small organizations even more so.
Does everyone need a hardened runtime? Probably not. Are there people who do and/or want one? Definitely
Edit: one concern of mine about Calyx is their bundled VPN serviced by Sprint (as per https://calyxinstitute.org/legal/terms-of-service). Third-party VPNs are always to be taken with a grain of salt for privacy depending on your activities online and the VPN's owners themselves. I suppose it's better to have a VPN than not, but you must also trust that party and their security with your highly valuable network traffic, which should be a very high bar. Obviously, nothing limits you from loading up OpenVPN, IPSec, Wireguard, etc and going your own route.