Maintaining one's data as private requires that it is protected as a baseline. Privacy violations do not solely exist as telemetry or data offered up by the platform to some other party.

The protection is achieved through security. The major goal of something like GrapheneOS is privacy, which needs solid security as a prerequisite.

The blobs, while proprietary, are not opaque. They are able to be examined and they are.

The security of a device should not be dependent on what you choose to run on it. You should trust and be able to verify that the platform on which you are running the software prevents something malicious from accessing data which doesn't belong to it or otherwise violates the rules set by the platform (OS).

In this respect, the Librem 5 would do a horrible job compared to even stock AOSP. Thinking that you are secure because you only run "trusted" software on an insecure platform is cope.