GrapheneOS You have an opportunity to install a VPN from an APK on a USB storage drive before it connects to a network
That requires you to know this way is mandatory in the first place. Most of the users don't have a CS degree in cyber security and don't know all the nuances and caveats. The connection behavior is non-obvious.
GrapheneOS Otherwise, how are you going to receive highly important updates to the OS and apps?
You don't if that's what you choose at the initial setup, you do it offline. Notifications about updates can be sent through CDN providers like Cloudflare that doesn't link the notification server to GOS domain. What if your updates server and signing key are compromised? Currently they're automatic, why GrapheneOS forces user updates? This is another security issue.
GrapheneOS 's very clear that GrapheneOS is going to connect to GrapheneOS services for updates at a bare minimum
What is precluding GrapheneOS to add ECH to their domains to at least mask the SNI?
GrapheneOS If you're not using a VPN, how do you expect to blend in?
VPN serves completely different purpose. I'm talking about standing out in traffic as the result of GOS default behavior opaqueness. Complete blending is user's issue, "notify the surveillance that I've just installed GrapheneOS" - is GOS issue.