The golden rule of phone privacy is that you never turn on your WAN anywhere near places attached to your name, or other devices that have ever connected to the internet in such places, or those of your social connections, or even taxi drivers who collect you from such places. Otherwise I can offer a mountain of ways that you can be deanonymized, sometimes down to your passport number. Not that Huawei telco equipment would do that because their website said it doesn't. But just theoretically, I mean.
Which brings me to a very important point: IMEI is immutable. It's a tag on your ass. (Nobel Peace Prize for the first vendor to offer an escape from 1984!) This implies that, in order to follow the above golden rule, you must never allow your phone to utter it, even once, unless YOU explicitly enable WAN access. I am worried that this assumption may be violated in a manner beyond your control:
First of all, suppose you have an Android phone which has been in airplane mode for a long time. It's therefore "safe" to go ahead and replace its firmware with GrapheneOS, which overall is probably a great idea. You're not stupid so you don't do this at home, in order to distance a phone running the (very rare) GrapheneOS from your home wifi (and for that matter your leaky VPN). You show up at a random coffee shop miles from your home. Now you boot up your laptop (with full battery) and connect to the shop wifi. Or perhaps you boot your other phone and hotspot your laptop to WAN. Either way, you just deanonymized yourself because you broadcast either your laptop wifi MAC or your other phone's IMEI. So if you're smarter still, you would disable your laptop wifi before leaving home, and buy a plug-and-play USB wifi dongle on the way to the coffee shop. And by the way, you rode your bike there (in dark or at least cloudy conditions) because you realize that a taxi driver's cellphone is just a proxy for your own location, connecting your home to the coffee shop.
So far so good, Sherlock! You boot up your laptop, connect to the Graphene OS site, and start the install process. As part of that process, the phone needs to reboot. Uh oh, here we go...
Scenario 1
GrapheneOS starts its first boot. It first initializes the baseband module and tells it search for WAN networks, blurting out the IMEI in the process. If you ever use the phone again, it will be tied to the coffee shop. If you cut corners on any of the above steps, well, too bad, you're irrevocably deanonymized. Hopefully the coffee shop camera isn't hacked, in which case all of that prep work is for nothing if the video is being connected to a face recognition database somewhere (not that a small company like Alibaba would be able to do that, obviously). Let's just punt on that one and pray that such threats aren't yet pervasive in 2023. Just don't sit next to that guy playing TikTok, or for that matter at the table right under one of the store's many cameras.
Scenario 2
GrapheneOS starts its first boot. It knows that it shouldn't enable WAN unless and until you instruct it to do so. However, your baseband module was designed by security ignoramuses. As soon as it powers on, it automatically broadcasts its IMEI as part of its hardwired initialization process. Game over.
Scenario 3
The previous scenarios are just fiction. I'm a fool for being so wrong, and we can all rejoice.
So, hive brain, which one is it...?