Roadwork I think you're indicating that somebody could prepare a GrapheneOS device in such a way that when handed to me it might appear to be freshly reset, but it might not be completely freshly reset, because a previous partial run of the setup app might have stored a Wi-Fi network.
It sounds as if there is a simple workaround, namely that if somebody hands me a device which in theory has a fresh GrapheneOS install I should factory-reset it to ensure that it is completely fresh.
Roadwork This exploit has been reported to Google. My understanding is Google have elected not to patch it.
Is there a bug i.d.?
I am not a security expert and I don't speak for the GrapheneOS team. But if a potential exploit requires physical access and if the resultant risk is low and easy to work around, I can imagine that it might not seem to be a high-priority matter. That said, you can file an issue on the GrapheneOS issue tracker.