> According to the link you provided, it does seem to be ahead of stock Android (assuming AOSP) and LineageOS, disproving your point that it's falling behind.

The table shows CalyxOS has substantial delays for important privacy and security patches. It currently doesn't provide the 2025-06-05 patch level. It's better than LineageOS and /e/OS in that regard but still reduces privacy and security through significantly delayed patches. CalyxOS also weakens parts of the privacy and security model through the privileged functionality that's added, which simply isn't covered by the comparison table.

> The point of the OP is not that it would be better than your solution anyway; rather, if you have a device unsupported by GrapheneOS, Calyx would be better than nothing.

On Pixels, CalyxOS is missing current Android privacy/security patches. GrapheneOS doesn't support those other devices due to lack of a reasonable level of security. Each of those extra devices has significantly delayed privacy/security patches and lacks important hardware-based security features. Despite all the marketing about long term support, Fairphone 5 uses Linux 5.4 which is end-of-life in December 2025 with no plans on their part to move to a supported kernel branch afterwards. Earlier Fairphones are stuck on older end-of-life kernel branches. Those devices are missing basic updates and security protections. Those don't provide proper long term support, so if someone does have one it won't be long before it's time to buy another device.

> Calyx would be better than nothing.

Depends on your threat model. If Google, low-effort scam apps or being profiled by apps are your only adversary, then that's true. If random threats on Internet or APTs pwning your phone, or being forensic-proof are part of your threat model, then Calyx is strictly worse than stock.

Hardware identifiers aren't accessible to user installed apps. ANDROID_ID is a per-app-per-profile random ID. Apps don't need ANDROID_ID to identify that it's the same install due to immense fingerprint surface. If you installed the app in another profile, it would have a different ANDROID_ID, but it would still potentially be able to fingerprint it as the same device based on many things like settings. GrapheneOS does have planned features to improve these things but it's not nearly as simple as making ANDROID_ID per-app-install or making the MediaDRM ID more randomized than the current per-app random value (it was meant to be like ANDROID_ID but they make a mistake that's hard to fix without breaking compatibility so we need a toggle).