meiklmue while I appreciate the fact that you're advice is evidently coming from a good place looking to help someone there are a few issues surrounding the idea that any other OS is a viable alternative to where they sit with GrapheneOS and the truth of what yoshamano described.
LineageOS and others based on it set an inaccurate patch level and misleads their users about what's provided. It's a dishonest approach chosen to promote an OS at the expense of users unknowingly not having privacy/security. Easy to set a fake patch level since it's just a displayed value.
The patch level exists to tell users if they have all of the patches from that Android security bulletin and all prior Android security bulletins. The patch level on OSes like Lineage is dishonest because they're missing up to half of the patches and still claim the full patch level.
Android security bulletins include far more than the AOSP patches which are only about half of what's included in them. Setting a fake patch level to downplay unpatched vulnerabilities and mislead people about what patching a subset of vulnerabilities provides.
Projects should simply not be playing games with redefining what the patch level means to mislead users and downplay the impact of missing patches. It'd be a scandal if an OEM set a fake patch level and it's a scandal that a widely used OS does it.
While DivestOS is more open about the above, if you have an EOL device anybody telling you there is an option to keep it 'updated' is selling/marketing false hope.
There is no problem in using them to keep old devices running, in fact it is a laudable enterprise so long as people can make properly informed decisions as to how they use them and what for.