GrapheneOS Being able to RAM dump from fastboot mode is guarded by a check for the device being unlocked. If they're able to do it without being unlocked, that's an exploit, even if it's a trivial one. If the flaw being used in fastboot mode was known, it would be fixed in a firmware update.
Wow, I am quite surprised about that detail then, that's pretty concerning. The video itself simply skips to the RAM dump being accomplished, so that does alert my concerns a little. I'm guessing a fix for this would be beyond the project's reach since its a firmware issue? This is not counting the measures you've mentioned on this thread prior of course.
GrapheneOS Secondary users can be put back at rest. For both the main user and secondary users, encryption keys aren't available to the OS after unlock but they are in non-OS memory.
Thanks for the added details, I forgot to mention this. Your team's added responses are always appreciated.