They aren't strawman. You pop up in Graphene OS threads like clockwork and recommend other devices. You say, "but Google hardware." I get not wanting to contribute to Google financially, I get not wanting their logo on a device, I get the general discomfort with anything Google. But it's akin to people being so anti-Google that even when Firefox on Android lacked nearly any sandboxing whatsoever and had downright reprehensible security practices, they'd continue to use Firefox on Android when visiting untrusted websites, because, well, at least it's not Google-adjacent. It's completely irrational and unjustifiable on anything but a totally emotional level.

You conflate privacy with security here, "They may be more secure in small ways, depending on your threat model, like avoiding Google," and yet you don't articulate any demonstrated connection between using Google hardware with GrapheneOS and Google's ad tech business. The closest thing there is needing to connect to Wi-FI to unlock the bootloader, but that's easily addressed. You cite a hypothetical backdoor that Google may have placed in the hardware, but unless you're physically examining every chip running every OS (and there are several) in every device you own (even the ones you think you've disabled the MIE on), you simply can't know that. You have to account for that, but you talk about it in ways that imply a project which accounts for it better than others hasn't, while one that inherently can't, has.

When they announce Motorola support, you're still on about avoiding Google. They literally can't win with you.

If you think their decisions harm them more than they think, but can't understand the basic factors at play, it's hard to take your determinations seriously. Good governance of a complex project is hard, and people snipe from the sidelines with virtually no understanding of what the actual situation is. By all indications the project is incredibly well run in all ways that practically impact eventual end-user security.

If you have no idea how anything can be more secure than Qubes OS, consider Qubes OS running on hardware with excellent security features, and the two being tightly integrated. There's your reasonable answer. That is literally the roadmap for Graphene OS. A hypervisor-based OS that's useful for end-user purposes by carefully layering on functionality to make a hypervisor-based OS some degree of usable.

The less reasonable reasonable answer is that you'd have better security if you ran Xen itself, as everything Qubes adds to make it usable potentially weakens it. It's just the nature of the beast.

It wouldn't surprise me if GrapheneOS lands on Xen for all the same reasons Joanna landed on Xen, and they end up contributing massively upstream to Xen security largely by tightly integrating it with said hardware. But I'm sure other patches will flow upstream with whatever project they choose, because their security chops are that good.

Qubes OS also lacks resources. They're supporting a massively bigger variety of hardware with a comparatively tiny user and donor base. By all indications their finances are nowhere near sufficient for what they really need to do. The project is as good as it currently is almost entirely down to the incredible efforts by a very small number of amazing people. If nothing else, the speed at which they can iterate and evolve is highly constrained. Remove 1-2 key players from the equation and the project almost invariably collapses. That alone is constitutes a definite security vulnerability.

Re: Apple, I'm talking hardware security. But even when you factor the software in, for a portfolio of consumer operating systems used by a billion and a half normies who expect it to do every normie task under the sun with very little frictional security overhead, Apple does a great job at security.

Edited to add:

> I would be happy to use GrapheneOS on a more libre hardware (Librem 5), even if the security may be lower. Some people value an additional bit of freedom more than cutting-edge security.

OK, but that's a nonsensical wish at best. There are other AOSP forks out there that would meet your needs. Buy a non-Google Android phone and load another AOSP fork. Or, fork GrapheneOS and modify it to meet your needs, thought that would be a largely pointless exercise. Repeatedly criticizing the project every single time it comes up for not wanting to completely change its fundamental nature in an ill-defined attempt to satisfy your inclination is a real head-scratcher.