horde Pixel (GrapheneOS) devices are protected from https://oxygenforensics.com/en/resources/extract-and-decrypt-android-keystore/ ?
That article lists two extraction approaches.
One approach relies on the device being unlocked, or on adb being enabled and available. The GrapheneOS project frequently warns users against leaving debugging on, especially wireless debugging, on the grounds that it increases attack surface (it does).
The other approach is described as working for certain hardware types, not including Pixels. This is consistent with other information that Pixels, especially if up to date on patches, are more difficult to exploit. Again this is consistent with the project's insistence that at present the Pixel platform is the only platform with sufficient hardware security plus the ability for third-party OSs to effectively use that security.
Though I am not an expert on the Android Keystore, based on what I see in that piece, a GrapheneOS device that is up to date and configured in accordance with recommendations (e.g., USB and wireless debugging off), is likely not subject to the described key extraction.