Graphene adds many privacy features on top of regular AOSP. But it only works on phones that has good security features that are not woefully outdated or completely closed-off. Google has complete control over Pixel supply chain and they can make their phones with all bells and whistles for their ends and they behave a bit benevolently and expose the interfaces to the user too.
Most Android phones use Qualcomm which doesn't give a flying fuck about giving control or privacy to the users.
AOSP is still the best Linux-based environment for consumer use case from many aspects. It handles hardware better than GNU-based desktops, it is more secure, it supports things like HiDPI screens better and it has a stable API to write applications against and many people and organizations did so (you can still use Android 4 apps).
AOSP has strong Google influence but it is possible to use it without feeding data to Google.
FWIW, I've been looking at the mobile / portable computing space fairly intensively for a month or so. I share your quite dim view of Google.
GrapheneOS does seem to be one of the most attractive Android alternatives.
There are also Lineage (based on CyanogenMod), AOSP, KaiOS (based on AOSP, via Firefox OS), LightOS (by Lightphone, AOSP), AphyOS (used by Punkt. mp03, also based on AOSP). These tend to be minimal, used on feature phones / dumbphones / minimalist phones. And there are /e/OS and iodéOS.
Among Linux-based non-Android options are Sailfish OS (Jolla), Ubuntu Touch (Ubuntu), PineOS (Pinephone), and PureOS (Purism), Tizen, Mobian (based on Debian), postMarketOS (based on Alpine Linux). These tend to be maximalist, offering a fuller experience than Android, with support for native Linux applications and configurations.
There are some non-Linux OSes, of which I'm aware of System 30+ (a/k/a S30+, Nokia), OpenHarmony (by Huawei), and ... something described as "realtime OS" or "RTOS" which actually had a name, for a Japanese flip phone, but which has slipped my mind (probably something reviewed by Jose Briones on his YouTube channel).
And of course there's iOS.
Briones by the way is an absolutely excellent resource: <https://josebriones.org/>. He's also one of the mods of /r/dumbphones at Reddit.
There are trade-offs, and what you choose depends on what you value, in the marketplace, in capabilities, in your own peace of mind.
If you want a full-featured device with wide acceptance, few limitations, and want nothing to do with Google, look at iOS devices.
If you want (nearly) full Android capabilities, but without Google's prying eyes and ears, GrapheneOS or LineageOS are probably your best bets. Whilst Graphene currently only works on Google Pixel devices, there's been a partnership announced with Motorola, there may be others in future (my speculation, with no other basis). And ironic as it seems, Graphene + Pixel actually does get you further from Google in many ways, though I still understand your position.
If you want full freedom / maximal privacy, and are prepared to make compromises on capabilities and battery life, look at one of the Linux-based, non-Android options. I've heard of quite a few bugs with these.
If you're looking for specific hardware capabilities (e-ink, folding / candybar, keyboard (T-9, qwerty, ...), small, large, tablet, headphone jack, etc., etc., or specific software capabilities, you're going to further refine your search. (Briones has a Dumbphone Finder at his website which does this pretty well.)
If you want modularity or repairability, there are devices such as Fairphone or Keyphone with (some) replaceable components.
If you want minimalism, look at an AOSP-based device, or perhaps S30+. These will give you feature phones capable of calls, texts, and a few apps, but not much else. For more complete computing you'll need either a desktop or a laptop.
There are more extreme options. I'm considering, for example, whether or not a roving SIP WiFi-only phone might be an option, and if so, what would be necessary to make that work. It would rely on a WiFi network provider (public or non-public network, or a cellular modem), and wouldn't function everywhere but should function in many locations sufficiently to be useful.
Most non-smartphone options I've looked at, and in particular the usual "dumbphone" suspects (Light Phone, Punkt.) tend to run an AOSP-based OS, with Nokia being the principle exception.
Briones FWIW uses the Light Phone III as his daily driver. That's somewhat spendy, and quite minimal, but he has his reasons, discussed at length at his blog and YT channel.
I'm leaning fairly strongly toward an option now, though my main hesitation is that KaiOS devices have very limited phone/SMS spam and/or traffic management. I'd prefer known-contacts-only could reach the device, that doesn't seem to be possible (KaiOS has only specific-caller blocking, and apparently a limited API for enabling more robust phone blocking). On the flipside, the device can be powered off, and/or battery removed.... I'm also looking at some VOIP/SIP options.
This is one of my strikes against the Punkt mp02: it doesn't work with most of my carrier options. I was hoping that either that device's capabilities would be extended, or its replacement would follow a similar ethic and expand bandwidth / protocols, but neither occurred. Further reading on Punkt's offerings has further cooled my interest (bugs, fragile HW, spendy).
RCS and group chat support seems to be another sticker, though with a small-form-factor laptop or tablet you should be able to work around that.
The other sticker for me (mentioned in my original post) is voice/SMS/messaging filtering options. The increase in spam / unsolicited contacts across the comms spectrum is immensely frustrating, and few devices / OSs / apps really address the situation adequately and in a privacy-respecting manner. That's still giving me a lot of hesitency on what really ought not to be this complex a decision, though for now I'm thinking it's a good thing to spend the time.
Most of them also have really bad security, for various reasons, including:
- Since virtually no hardware vendor (outside Jolla) supports non-Android phones, they typically use phones that were made by their ODMs as Android phones and rely on kernel/firmware/device trees made available for those Android builds. Sadly, nobody outside Google (PixelOS) and Samsung really cares about giving their kernels and firmware timely updates. So usually the kernel and firmware are full of known holes (Qualcomm and others do monthly bulletins).
- For many reasons, Linux systems have never really focused on proper security isolation and sandboxing. So most of these phones have really poor isolation and you are only one browser/image parsing/... vulnerability away from full phone compromise.
- Unlocked bootloaders or otherwise compromised boot chain. So, it's easy for persistent malware to compromise a phone and there is no way to attest that the system runs unmodified binaries (as you can e.g. can with GrapheneOS' auditor or Android phones with fully verified boot and Strongbox).
Let's say, if I was a bank, I can understand why I would want to block such devices.
So as a bank, you would be forcing your customers into the duopoly of the American megacorps. Thankfully, there are banks that do not do this.
Obviously I want banks to support alternatives, but I can understand if they only want to support secure OSes. Some banks support GrapheneOS remote attestation besides Google Play Integrity at the strong level.