Largely agreed. Though I think there are useful applications: 1. the one you mention; 2. to protect against installation of a malicious image (e.g. because your browser/certificate store compromised); 3. a sophisticated attack where an attacker knows your credentials at some point (e.g. PIN), extract your data when the phone is unattended, flashes a compromised image, and restores the data (with the goal to surveil your phone).

Admittedly, most of these are probably nation state-level attacks, but I think some GrapheneOS users are the target of such attacks. Also, it doesn't hurt to run Auditor after a fresh install to protect against the second scenario. It only takes a minute, better safe than sorry.