qr1 You're talking about something like an MBR virus? Those are EASILY cleared by zero'ing out the disk, which is something that a lot of people didn't do when infected (back when this type of malware was common).
The boot sequence on a phone is more robust than on an old 8086 desktop. Each stage of the boot is cryptographically verified prior to execution, so if something in some stage is modified, then the prior stage will refuse to boot it.
It is technically possible (using some exploit) for malware to inject a modification into the kernel layer (boot.img) or higher (system.img, etc.), but doing so would also require injection of custom verified signing keys, so if the worst possible thing happens, clearing the avb_custom_key partition would solve the problem. GrapheneOS wipes this and installs its own key there during installation, so a complete reinstallation would eliminate any potential persistent malware.
Google doesn't use a custom key there, so running "fastboot erase avb_custom_key" and a full reinstall would work for factory image.