GrapheneOS

GrapheneOS is a free, open-source, privacy- and security-focused mobile operating system built on the Android Open Source Project (AOSP). Developed as a non-profit project (descended from the earlier CopperheadOS work), it ships de-Googled — no Google apps or services are baked in — while remaining compatible with most Android apps. It currently installs only on Google Pixel phones, because GrapheneOS relies on those devices' verified-boot and hardware security features.

What it hardens

GrapheneOS is not merely Android with the Google parts removed. It adds substantial security improvements aimed at neutralizing whole classes of vulnerabilities: a hardened memory allocator, stronger app sandboxing, additional exploit mitigations, and a more granular permission model. Notably, it lets you grant network and sensor access per app and can run Google Play services in a fully sandboxed compartment — so apps that demand Google services work, but those services hold no special system privileges and cannot surveil the rest of the device.

Why sovereign users choose it

For someone pursuing digital sovereignty, the phone is usually the weakest link — always connected, always sensing, and typically tied to a vendor's cloud. GrapheneOS narrows that exposure: a de-Googled handset stops the default telemetry pipeline, the sandboxing limits how far a malicious or careless app can reach, and the per-permission controls let a user run a Bitcoin or Nostr app without surrendering location and contacts. It demands compatible hardware and some tolerance for friction, but it turns a commodity phone into a far more defensible tool.

A hardened phone supports the habits described under OPSEC and is worth weighing against the risks you list in your Threat Model.