Fair enough. I said “huge” because I guess some people care a lot. I personally don’t and have been on security preview releases since they started releasing them.

Not exactly. GrapheneOS has an OEM partner and has early access to AOSP changes that aren’t public. A huge downside to that is that security preview releases can’t be open source until after Google makes the code public.

GrapheneOS isn’t dying. There’s an OEM partnership in the works and they’ll release devices with support for GrapheneOS in a year or two. GrapheneOS still provides updates and while the changes have made some things harder, the project is still going strong.

At this point GrapheneOS is big enough that there are people who do pay attention to changes and forks that would notice as well.

Well, the fact is it is impossible to target someone with a modified update. The update client sends no IDs to the server, it just fetches static files and determines whether it needs to update or not. The server only has static files.

thet could, in theory, make a single OTA that everybody gets, but checks for a specific IMEI or other device ID and only there enables some malicious payload.

That would be very obvious in the code. And how would devices be targeted if GrapheneOS project members don’t know the unique IDs because they’re not sent in the first place? There are also community members who build GrapheneOS on their own and check if the builds match because GrapheneOS builds are reproducible. It just isn’t possible. But even if people don’t believe all of that, they can still disable the updater app and sideload updates manually. Instructions are on the website.