Yep. And GrapheneOS's changes to the kernels of devices they ship are laughably small, 20-30 commits at most. I don't think they even do any basic CVE checks on any of the source code.

Fuzzing, actual security analysis - all those things are done by Google.

isn't that by design? for GKIs i mean