thestinger commented on Sep 12, 2021
https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
Disabling native debugging improves the app sandbox and sandboxing elsewhere in the OS. It's up to you if you consider it worthwhile to disable it when you aren't using them. GrapheneOS leaves it enabled by default and just provides the option to disable it since it's a nice way of improving sandboxing and protecting against local privilege escalation. It's not a huge security benefit. It just disables the ability to use the ptrace system call which occasionally has vulnerabilities, and can also provide an attacker with lateral movement between processes within the same sandbox. For example, apps often run something in a separate process within their app sandbox rather than within a nested isolatedProcess sandbox (nested sandboxing isn't broadly used outside Chromium) and native debugging provides a way for an attacker who compromises that separate process to directly gain control of the main app process.
It's simply a global toggle right now because in theory it should only be needed by developers who need to do debugging. It's unfortunate that there are apps using native code debugging as a strange way of trying to put up barriers to analysis of the apps. They aren't really accomplishing anything by doing that beyond slightly annoying security researchers who look into the apps.