mhbcrypto
I understand people's dislike of Google's brand of surveillance capitalism, but acting as if they are somehow willing to distribute malware is certainly a choice.
Are you auditing every line of code of every app you use yourself before installing? Before updating? Have you done a forensic audit of the Graphene source code? If so, you have much more free-time than I.
Example: we're not that far removed from when an APT managed to bully a Linux maintainer so badly that they had ssh backdoors in the testing branches of every major linux distribution around.
Some level of trust in the supply chain is necessary to function with this tech. I feel people need to pick their battles here rather than give way to excessive paranoia.
Just my $0.02.