Got a used Pixel 7a from Verizon, but the bootloader seems to be unlocked

Arround

Yes, this is already a platinum topic on many forums, but I'll still post it.
Got a Pixel 7a from Verizon and it is somehow unlocked: the phone seems to work fine, accepts all SIM cards, all sorts of Google services work, in general, as if it was never tied to this carrier. The only drawback is that the phone does not pass SafetyNet and bank cards cannot be added to Google Wallet (it gives some kind of error).
Checked the phone by IMEI and model and yes, it is really a device from Verizon.
But to my surprise, in the developer settings where the OEM unlock slider is already moved in ON position and it says that the bootloader is already unlocked, and if you reboot the phone, a message about the unlocked bootloader also pops up. Is it possible to install GrapheneOS on this device (or stay on the factory firmware and re-lock the bootloader)?
Screenshots and photos are attached for greater clarity of the situation:
https://ibb.co/DPg1gPXp
https://ibb.co/nswR7PSL
https://ibb.co/WCdjf6M
https://ibb.co/KpwxkTWL

other8026

Arround Got a Pixel 7a from Verizon and it is somehow unlocked

I have never heard of this happening before.

Arround the phone does not pass SafetyNet and bank cards cannot be added to Google Wallet (it gives some kind of error).

I think you mean Play Integrity, but this is expected.

Arround Is it possible to install GrapheneOS on this device (or stay on the factory firmware and re-lock the bootloader)?

Yes, you can install GrapheneOS. According to https://grapheneos.org/faq#supported-devices carrier locked devices have all the same hardware and firmware, so it should work.

As for whether you can just lock the bootloader and use it as is, I'd be a little careful about that if you're thinking about installing GrapheneOS in the future... I think if you can lock the bootloader, the image should be fine. I can think of 3 possibilities here. Not sure what will happen because I've never heard of someone being sold a Verizon device that's had its bootloader unlocked.

If you lock the bootloader from Fastboot, I'm not sure if a service will automatically disable bootloader unlocking for you. If that happens, you may not be able to enable bootloader unlocking again if the service detects you have a carrier variant. I don't think this one is likely, but it is possible.
If you lock the bootloader and disable bootloader unlocking in developer options, you may not be able to enable bootloader unlocking again if the device is detected to be a carrier variant. I think this is likely.
For some reason, the device is not detected to be a carrier variant, so you can still enable bootloader unlocking and unlock the bootloader in the future. I don't think this is likely either.

So the way I see it is if you want to play with the stock OS, I'd do so now with the bootloader unlocked, but keep in mind using a device with an unlocked bootloader is not safe. If you want to use the stock OS, lock the bootloader, but accept you may not be able to install GrapheneOS later. You can take a gamble and try keeping your options open by leaving bootloader unlocking on in developer options, but there's no guarantee you'll be able to unlock the bootloader later.

Sorry not to give a very clear answer. Your situation is unique.

Arround

other8026
I'm not a strong expert in Android, but it refuses to add bank cards to Google Wallet because Play Integrity is broken due to an unlocked bootloader?

other8026

Arround Sorry, I misread. I'm not sure if cards can be added, but I am not surprised that you aren't able to.

I'm assuming Google Wallet is checking if the verdict includes MEETS_DEVICE_INTEGRITY, which means (according to the docs here):

The app is running on a genuine Play Protect certified Android-powered device. On Android 13 and higher, there is hardware-backed proof that the device bootloader is locked and the loaded Android OS is a certified device manufacturer image.