Hopefully I can help answer a very direct question with a very direct answer.
Obviously, AOSP is a Google project, but there's this flawed way of thinking about Google's relationship with the project which is: Google spies on us, so if Google makes an OS it must be spying on us.
That's not correct at all. The OS is solid. It's just Google has used its position as AOSP owner to make its GMS apps (Google Play, Google Play Services, Google Services Framework, etc.) almost completely necessary for all OEMs to install on their phones for their phones to operate (notifications, GPS, other features). Google's apps use privileged permissions to (potentially) spy on users.
Also, a thing I read somewhere said something about this is why Facebook actually pays OEMs to be preinstalled on some phones. Being a preinstalled system-level app means system privs. System privs mean much easier data collection.
So, the fact is Google doesn't need to make AOSP into a spying OS. They just built it so system apps have sufficient privileges to collect data.
Not to mention AOSP is one of the most used OSs in the world. It's open source, so of course many, many researchers are looking at its source code trying to make it better or to get a reward for finding a vulnerability. Android is very safe.
So let me tell you about my lord and savior, GrapheneOS.
Just in case it isn't obvious, this is a joke... Continuing OP's joke about GOS being the "second coming of Jesus."
(Why can't I do inline spoilers on this site?)
If you can read code, you'd see that they are very smart about how they implement their features. Like I said earlier, AOSP is already very solid. GrapheneOS makes it more solid. Additionally, you can use the OS just like you would Stock with Google's GMS apps installed without sacrificing your privacy since GMS apps are installed as normal apps without any special privileges.