Regarding Quatar requiring a spy app on the phones of visiters, some person commented this was possible. Is that true? Has Graphene a special fix for that? Or does a profile without the ability to make phone calls solve that?
All modern phones allow carrier push of apps. The cell service carrier essentially has root on your device. Qatar doesn't even need to require it if they could get the telecoms to force-push it. Also, you can't remove apps pushed by the telecom provider - even if you connect to a different telecom that didn't push the apps. Qatar probably doesn't do it because it's tough to only target foreigners that way.¹
Anyway, for a variety of reasons, it's always advisable to take burner devices when traveling internationally.
¹ - Just to add, I personally experienced this traveling in a former-Yugoslavian country 4 years ago. The moment I plugged my SIM in 3 apps got loaded on my phone. Fortunately I had bought a super cheap Android for the sole purpose of traveling there, which I discarded when I got home, and I indeed could not remove them. Either have to factory reset or root the device to get them off. The other thing that I didn't event mention is that cell radios have firmware that can be updated OTA, and you're SOL on that even if you reset your device or root it.
Edit2: There are legitimate purposes for this, I just wanted to say it's possible. For example your carrier could push their voice mail app. A lot of times you get a carrier-specific "carrier services" app that... well who knows what it does. But the point is, it can be legit, it can be nefarious. You can make your own judgment based on what kind of regime is in the country and how they exert that on its citizens, if they have the ability to force the telecom to capitulate.
I think the apps that installed on my phone were benign; I doubt the country I was in could force European telecom companies to spy for them (if they even wanted to do that). But other countries, like China - different government/corporate structure, and different story.
On the other hand, could you remove these apps with ADB? How can this huge security flaw be legal?