Not sure if VPN eliminates all risks with 2G and 3G, maybe it does.
Sandboxing, javascript
Vanadium has sandboxing but its javascript blocking is useless (no granular control)
Mull has no process isolation at all, but support for UBO and Noscript. Bad situation
it’s a walk in the park for it to modify any of the partitions
These cannot be written without TPM verification or stuff, ask GrapheneOS devs about that, I dont know. The firmware signing is required, the verification will not be done inside the OS, that would be totally flawed.
If they have the firmware signing keys, they can fuck you. If they dont, they can only write to the system partition, and Attestation can see that.
Reading data has nothing to do with that. They likely can, but that doesnt matter.
My 6 years old phone still receives LOS updates
This will not include firmware and likely even the kernel.