Ok first of all: GrapheneOS is great, probably the best alternative Android OS, but their PR skills are rock bottom. Still, many ignore that due to how good it is.

With that said, I don’t believe their claim that it’s impossible for them to target a user with a malicious OTA: their reason is basically that the update server never even knows who is downloading, and so it can’t send a different file to just one user. That’s true, but thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.

I trust them not to do it, for many reasons, but technically they could. I also don’t think they’d do it to Louis, despite the beef they have with him.

Sure, but the problem is the ecosystem of alternatives stores effectively collapsing or falling under Google’s control. That will affect everybody who uses them, whether on GrapheneOS, LineageOS or certified devices.