graphenediscoverer4
The OS update system can't run while the phone is powered off or if it lacks working internet access. An attacker obtaining a device will usually quickly cut it off from network access. It should be assumed that it's not getting further updates.
OS updates on GrapheneOS are automatic and kick in after the next reboot, so if you left a device idle for months it would continue getting updated to the latest release due to the default enabled auto-reboot after 18 hours since the last successful unlock. There's also an automatic reboot while idle toggle for updates that's disabled by default. That isn't relevant to this threat model. Allowing the device to have internet access would allow using a remote wipe app, not just updates. Why would they allow that? If they do allow that, they're probably not the kind of attackers who are ever going to have a working secure element exploit even after years of holding the device, so what's the concern? If you even have a random 6 digit PIN as a bare minimum, then the secure element throttling results in secure encryption. If you want security against a secure element exploit, then use a strong passphrase such as 7 random diceware words. Since users have separate encryption keys, you can use a strong passphrase for a dedicated use case instead of always having to use it. In the future, we'll be making it more convenient to use a strong passphrase without permitting secondary unlock via fingerprint alone.