Security falls into a few broad categories.
1) Security of the data if the device is physically seized.
Using GOS with USB data disabled, a strong password, and a Pixel 8 or 9 will effectively ensure this. The use of a duress pin could theoretically make it more secure but as a practical matter, the above steps will render the data safe from all currently known and theoretical attacks once the device goes BFU (which by default it will do in 18 hours, and that can be drastically lowered if you desire). My personal policy is to assume that the NSA can crack anything if they are motivated enough (they can't, but they can do a hell of a lot more than is publicly believed possible), but short of that your data will be safe.
2) Security of your person.
The mere fact that you are carrying a GOS device will make you a person of interest to any law enforcement/Intel agency that becomes aware. You are walking around with the most secure computing device that is publicly available as a practical matter. If you provide a duress pin in much of the world this will see you in jail (or worse) for a long time, so is the marginal increase in your data's security worth a few years (or worse) in a prison?
GOS can also fall afoul of various nations laws. It may well be seen as a tool for espionage or intelligence activities in some places.
Personally, I use a locked down, and sanitized, iPhone when I travel to several nations because doing so makes me one visitor among many if the government looks and is generally secure in most respects against that government.
Note also that app usage plays a role in this as well. The existence of Signal on a device is, itself, a crime in some nations. A visiting tourist is unlikely to be bothered but a long term resident associated with a disfavored group may well be treated very differently.
3) Security of your device/data against non-local attack.
If you are in a potentially hostile location, assume that anything that leaves your device is compromised. Any nation worth the name can, casually, track the physical location of any device connected to the cell network down to at least the city block level and stores all that data for years.
Any phone number dialed/received or SMS sent/received is likewise in their possession; and if they have reason to care (gos is reason to care many places) they are all being intercepted & recorded in full.
Any data connections are likewise compromised. The use of a VPN can mitigate this to some extent but they will still know when and how much data you are sending/receiving. This can be mitigated (there are apps that will keep the connection up 24/7 and at a set data level, essentially sending/receiving junk dynamically to conceal your data usage) but doing so is incredibly obvious and would make you a person of interest. Note also that some nations block known VPN connections while many others instead track them. Even using a private VPN is obvious as it is the only IP you will be contacting and it isn't for a public service; this can be mitigated with good opsec and/or a lot of resources but it can still be a concern.
WiFi is safer, especially if you are using a randomized MAC as it is inherently harder to trace and fewer device identifiers are provided. It isn't exactly safe though.
Apps installed on GOS are relatively safe. You have to generally actively try to turn them into spyware. That being said, apps can fingerprint a device relatively well even on GOS even with no permissions. Using apps developed and owned by foreign entities who aren't on good terms with the local government is a good idea. If you need to install any government provided apps just assume that they are spyware and at a minimum are fingerprinting your device and thus associating it with your identity.
4) Your privacy.
As a practical matter, you don't have the resources needed to have a usable and private smartphone experience against a hostile local government that has reason to actively attempt to breach your privacy.
Take something as simple as accessing a local website via Vanadium. You will be fingerprinted and your fingerprint is basically guaranteed to be unique (or at least highly uncommon). If you have to log in, that finger print can be tied to your identity. From then on, even a VPN won't prevent the government from knowing that you are the visitor to a given site.
Then you need to account for other people. Let's assume you have the best personal setup ever. Does everyone you want to interact with have the same setup and practice similar opsec? The government might not be able to see your Signal messages but if they have rooted the device of the person you are talking to then they still have complete copies of everything you sent to that person over your "secure" communications channel.
Two people on GOS using Orbot via private Tor relays outside the nation and communicating via SimpleX is a very different circumstance than a phone call between the GOS user and John Q Public.
The first is, for all practical purposes, untraceable, impossible to intercept in a readable form, impossible to deanonymize, and impossible to man in the middle.
The second is being read by any Intel agency worth the name in basically real time.
Do not assume that GOS makes you safe, or even that it is necessarily the best choice in your specific circumstance. GOS is a tool, nothing more or less. On its own, all it will do is basically guarantee that your data stored on the device itself will remain secure (assuming you practice relatively basic opsec).
Be safe, and always remember to think before you do anything.