Great general info! Thanks for taking the time to put it together. Specifically, Graphene and Calyx support a combined total of 12 devices 11 of which are Pixels. Great for those users and it might inform what I buy in the future. Lineage supports tons of devices - great for anyone reading this who doesn’t care about the softened security (or doesn’t have another choice). Lineage is out for me specifically because my device is old/unpopular enough. /e/ still list support for my device, but I am guessing that since it is based on Lineage it won’t get meaningful support either.

LineageOS don’t use permissive selinux and disabled nearly every function of userdebug build except for root functions over adb (that is disabled by default).

The only real danger about LOS is the unlocked bootloader, but it can’t be solved by LineageOS developers, since it depend deeply by manufactorer.

Still, even if it is a security risk it depend a lot about your threat model and if you usually install only trusted apps and navigate on trusted sites (or usually disable JavaScript) the actual attack surfaces isn’t really a problem for the common users, and there are only theoretical risks.

The great thing about official LOS is the support of a lot of devices (and not only Google made) and the big community approval needed for every change.

Community standards for LOS are actually really strict, and you can be pretty sure to have a stable system when you use official LOS on your device. Since there are dozens of supported devices it gives users a lot of freedom.