GrapheneOS said that's not possible, but I'd actually want to see some expanded explanation.

TEE attests that the OS is booted with a given AVB key, OS version and the bootloader unlock state..

But I know that vbmeta is per-slot, so I guess the whole chain is.. I also read that if you flash "custom_avb_key", the original AVB key is also permitted..

Could this mean we could theoretically dual-boot while being able to flash the OS manually using fastbootd?

Credential Encrypted userdata would be unaccessible though, I'm not sure if the second OS could mount that partition at all.

But I'd like someone more competent to address all this.

Dual booting would be much further from passing attestation checks and would be incompatible with a bunch of the hardware-based security features. The boot slots are needed for A/B updates and include the firmware partitions. They're not useful for this and don't provide useful functionality for it. It would be entirely possible to build a bootloader for loading multiple different operating systems but it would be a hacked together mess without proper firmware updates or security. It would require heavily modifying both GrapheneOS and the stock OS to fit them into it. It would require losing a lot of the hardware-based security integration. What would be the point? The end result would be much further from passing attestation checks than GrapheneOS. GrapheneOS has near perfect app compatibility with the exception of the Play Integrity API. Other anti-tampering checks are largely compatible with GrapheneOS with the exception of tripping from certain hardening features which is increasingly being resolved with workarounds and there are toggles to avoid it already.