taiyi According to the information from Cellebrite, the Pixel 6 and later prevent them from doing a brute force via their time-based secure element throttling whether or not they use GrapheneOS. No other devices are successfully preventing them from doing this. If you want to prevent this even if they get a secure element exploit, use a strong diceware passphrase. This will become much more convenient soon via our 2-factor fingerprint unlock feature where you'll be able to use fingerprint+PIN for secondary unlock after first unlock instead of being able to unlock with only a fingerprint which is problematic.
They can exploit the stock Pixel OS either BFU or AFU but not GrapheneOS since late 2022. It doesn't mean that it will hold forever. We're continuing to improve security against these attacks and they're continuing to work on developing exploits. We've been making major improvements such as our new USB-C port control feature which have hopefully destroyed lots of their progress and forced them to essentially start over.
It should be kept in mind that mobile devices do not have encrypted memory yet, only non-cryptographically-secure scrambling at best, so it's theoretically possible for them to extract data directly from memory if the device is AFU although that won't give them the ability to unlock the device or get all data. If they developed the capability to arbitrarily modify memory, they could get it unlocked if it's AFU, without any direct OS/firmware exploits. Encrypted memory is a feature we hope gets added in the next couple years. There's still the attack vector of directly tampering with the SoC but it will raise the bar a lot.