djcf Do vulnerabilities like exported activities (e.g. DialerActivity with no permission requirements) still apply on GOS when running third party apps like Fossify?
It's generally helpful when inquiring about a potential vulnerability to provide a precise indication of what is being asked about, such as a CVE number or a report in a reputable press organ.
djcf Or does something in GOS prevent a malicious app from exploiting it?
GrapheneOS at present doesn't include IPC filtering outside of the standard AOSP user profile system. There has been some discussion of potential features along these lines, e.g.: https://github.com/GrapheneOS/os-issue-tracker/issues/2197
But for dialer apps in particular, I think that due to their role they should be chosen based on security and privacy, and I wouldn't be surprised if dialer apps need to use IPC.