privacy-oriented distributions are more likely to be targeted by intelligence agencies
Since GrapheneOS is based on Android (AOSP), any vulnerability that exists in Graphene definitely also exists in AOSP. Graphene is often faster at fixing security vulnerabilities than Google. GrapheneOS makes some substantial security improvements to AOSP, so the chance of a bug in AOSP being exploitable in Graphene is much lower.
trusting your OpSec in the good will of someone it’s not a good idea, at least for me
That’s literally what you’re doing with the stock OS. Since it’s proprietary, no one can actually verify what’s actually going on. You’re literally trusting a billion-dollar big tech advertising corporation that participates In the NSA PRISM program. What you’re saying doesn’t make any sense.