wovensash Thanks for the detailed responses but would there be any chance of providing actual examples of exploits with poc's that we could be targets of? Or perhaps even just one example?
While there may be people investigating AOSP patches and even Google firmware patches, and turning them into exploits for unpatched devices, including EOL devices, there is a structural reason why those people are not likely to post details here.
Since Google has dropped support for the old devices, and the patches have been issued to new devices, developing exploits isn't going to result in a reward from a legitimate bounty program. However, such an exploit may well be monetizable through darknet forums for use by criminal gangs.
All in all, if somebody does have nicely packaged exploits targeting old Android/AOSP/GrapheneOS variants, or targeting Pixel 3A XL firmware, they may not be motivated to provide the sort of helpful counsel you are seeking. And if some forensics researcher finds a 3A XL that has been exploited, it probably isn't news, since the device is EOL and is firmly expected to be unsafe.
If you are unhappy junking a working device (this is a reasonable position!!) and are willing to accept an elevated level of risk compared to a current Android and current firmware, it appears that DivestOS has some support for the 3A XL: https://divestos.org/pages/devices#device-bonito. As time goes by, a frozen out-of-date GrapheneOS may become less secure than a somewhat-updated DivestOS, though it's not really possible to assign numerical scores.