GrapheneOS is a hardened OS. It not only preserves the whole standard privacy and security model including all the hardware-based security features but also substantially improves it. https://grapheneos.org/features provides an overview of only the improvements made by GrapheneOS compared to Android 13 (specifically, the stock Pixel OS). We make a fair number of upstream contributions and those aren't listed on our features page once they're shipped by the stock Pixel OS.
GrapheneOS provides our sandboxed Google Play compatibility layer allowing using the Google Play apps as regular apps in the full standard app sandbox with no special access or privileges. We've made them work like any other apps, with absolutely no ability to do something a regular user installed app can't do. You also don't need to grant them permissions to use 95% of functionality and can revoke our added Sensors toggle (Network COULD be revoked and you can use GSF + Google Camera + Google Photos with Network revoked from each but most of Play services exists to provide Google services so it would somewhat defeat the purpose, but it's possible).
/e/ supports loads of random phones without a strong HSM. In my estimation this means it will be much easier to get into a locked phone with physical access. I imagine the phone would get imaged, and then the passcode bruteforced on another machine without rate limiting.
Calyx supports Pixel3 and Fairphone, but otherwise looks pretty similar. According to GOS's main developer's comments in this thread, Calyx:
- "isn't a hardened OS and isn't at all comparable to GrapheneOS. They recently didn't even ship half the baseline Android security patches for 2 months, let alone providing much better patching and substantially hardening the privacy and security of the OS"
My opinion is biased since I'm a GOS user, and I have a very positive opinion of the project, so take this with a pinch of salt.
