Changing IMEI in almost all threat models is security/privacy theater - even if you changed it, it doesn't slow down a knowledgeable actor from continually identifying you because there are several other identifiers in the cellular network that don't change.
Changing IMEI leaves IMSI, phone number, ICCID, MSISDN the same. If you managed to change IMSI at the same time from something like PGPP then you still leave the rest untouched. If cellular network tracking is of your concern, GrapheneOS tells you in their guides to avoid it entirely or use Airplane Mode.
Some services like Silent Link broadcast less information by using a foreign data provider on Roaming, but that would make you appear like you are a foreign user roaming instead.
zzz What's the motivation for the use of the word "never"?
Because the IMEI is burned into the (isolated) hardware and cannot be changed. In most cases changing the IMEI is only possible either by a reverse engineering process or an exploit on that hardware. Any 'IMEI change' Xposed module etc are just changing the IMEI value that apps in the operating system see. It is extremely unlikely for an exploit like this to exist that doesn't end up being a cause for other security issues in that hardware. GrapheneOS will always patch firmware for security.
There are cellular routers with IMEI change firmware (like what SRlabs have done with research: https://github.com/srlabs/blue-merle) but again, you'd need to constantly change SIM to actually make discovery difficult, which also comes with the costs of sourcing several SIMs.
Only really old cellphones are the majority of phones to have an exploited and reverse engineered baseband. OsmocomBB are an open-source GSM baseband firmware used to replace firmware in old Motorola phones that had their baseband processor's register-level instruction manual leaked. They're not used for spoofing but rather for cellular network snooping and analysis.
There are tons of "products" sold by unknown (probably criminal-oriented) organisations who try to sell products advertising privacy features and do not transparently disclose their methods of how their "security" works, which comes down to modding old, insecure garbage or try and focus on making communications with the cellular network 'secure' which simply is impossible because of how flawed the network is.
The security-conscious avoid the network completely or use an implementation made to avoid trusting that network. Think about what people use instead of phones:
High-security government communications run their own fixed networks to deploy phones instead: https://communications.sectra.com/product/mobile-communication-up-to-secret/
If they use a cellular network, they use a solution that involves encrypting between the two phones:
https://www.electrospaces.net/2012/06/highly-secure-mobile-phones.html
Law enforcements use encrypted radio systems like TETRA instead of phones: https://www.sigidwiki.com/wiki/Terrestrial_Trunked_Radio_(TETRA)
UK Government use an Internet-based messaging service (WhatsApp, I know, terrible) instead of a cellular network: https://www.bbc.co.uk/news/uk-wales-65776560
The Pixel Tablet has no cellular radio so you can have the GrapheneOS experience without this risk.