Beerman
"Tensor Pixels: add new USB-C port mode setting to Settings > Security providing a high level of control over USB functionality with hardware-specific integration for disabling USB controller functionality including fully disabling the data lines. There are 5 modes: On (current default during testing), Charging-only when locked except before first unlock (likely near future default), Charging-only when locked, Charging-only and Off (which even disables charging while booted into the normal OS mode). The modes tied to lock state permit already connected devices to continue working after locking and disable the data lines at a USB controller level after disconnecting. This is much different from the existing USB features including the Android 12 USB HAL toggle which only disable high-level kernel functionality and leave all the low-level kernel driver, USB protocol and USB controller attack surface enabled. It starts out restricted on boot and is relaxed to the configured setting."
https://grapheneos.org/releases#2024022600
"GrapheneOS defaults to ignoring connected USB peripherals when the device is already booted and the screen is locked. A USB device already connected at boot will still work. The purpose is reducing attack surface for a locked device with active login sessions to user profiles to protect data that's not at rest. This can be controlled in Settings ➔ Security ➔ USB accessories. The options are:
Disallow new USB peripherals
Allow new USB peripherals when unlocked (default)
Allow new USB peripherals (like stock Android)
This option has no impact on the device acting as a USB peripheral itself when connected to a computer. Android defaults to charge only mode and requires opt-in to the device being used for file transfer, USB tethering, MIDI or PTP."
https://grapheneos.org/usage#usb-peripherals