The main issue with iOS in my opinion is Apple's "rules for thee, not for me" philosophy -- more specifically, their approach to sandboxing. Apps on the App Store are required to be sandboxed and can't do a lot of things that core Apple apps can. 3rd-party apps are so powerless that it feels like Apple apps run as root with the amount of privileges they have, and for certain apps like Settings it makes sense. But this enables a zero-click exploit every few months repeatedly, where your phone can get hacked with a rootkit overnight and you'll never even suspect anything. It's come to the point where I can't help but laugh anytime I see anything related to "security" being brought up around iPhones. All because core Apple apps have system-level access.
This is where AOSP and GrapheneOS have what is needed to be more secure. Dialer and SMS apps don't need system-level access because the dialer and SMS APIs are just normal Android APIs that any app marked as the "default" app can use. This is what enables 3rd-party SMS and dialer apps as well. Everything is compartmentalized, an exploit in Vanadium (GrapheneOS browser) won't affect the whole system (unless it is chained together with a sandbox escape exploit, but at that point it is a much bigger issue). Of course, the whole system (AOSP) is much flakier as whole, but GrapheneOS makes substantial security improvements where I consider it to be on par with and better than iOS, in a dream land where iOS core apps aren't privileged. In the real world where Messages is practically a backdoor letting anyone in, it's even better.
But do expect tinkering. You are using Linux after all ;) For example, the default AOSP apps you get with GOS are borderline unusable and will leave you with a poor taste in your mouth each time using them (Gallery, Dialer, SMS, Contacts, Calculator, etc.). GrapheneOS apps are a bit better, but still nothing award-winning (Camera, Auditor, Vanadium, Apps). First thing you're gonna wanna do is load up an F-Droid client (I recommend Droid-ify) and download the simple gallery, dialer, SMS messenger, contacts, and the organic maps app. Then set them up and disable the system ones. All of a sudden you have core apps that are fully sandboxed, even if someone sends you a "killer SMS" that glitches the SMS app, it can't do much other than access other SMS. It can't even access the internet. Compared to iOS this is truly a breath of fresh air.
Then load up Aurora Store and LinkSheet, these 2 apps will let you download apps from the Play Store without a Google account. (LinkSheet is needed as a workaround atm). Open Aurora once, accept all the defaults, then quit it. Set up LinkSheet as well. Then, go to Vanadium, search up any app on the Play Store website, then share it through LinkSheet to Aurora. Use this to install Google clock, calculator, and Gboard. But don't allow internet for those. (Again, sandboxing! Principle of least privilege! Keyboard shouldn't be able to access the internet!)
Also on Graphene you can use user profiles extensively: they are pretty much sandboxed like separate devices. Enable it in settings, then use them if you want to install questionable apps. You switch away to a completely isolated profile, where you have completely different apps installed. Use the app, do what you need, then hold the power button and end the session. This seals up the profile and freezes it, literally nothing can happen in it until you unlock it again. It's as if that separate virtual device has been powered off (because it practically has, data is purged from memory and encrypted on-disk).
About web browsing: Yeah, hundreds of millions of people use mobile Safari. However advanced fingerprinting techniques are at the point where they can tell you apart by slight variations in how your specific chip runs instructions (WebGPU fingerprinting). On Graphene, Vanadium doesn't really do anything to counter fingerprinting, it focuses more on exploit protection. There was a great browser called Bromite, developers abandoned it but a new fork called Cromite updates it, it has actual anti-fingerprinting tech (comparable to that of Tor/Hardened Firefox). It has tons more privacy and convenience features (literally adblock on mobile), but a bit less secure since it is layering stuff on top of Bromite and pretty much playing catch up with latest chrome. I still recommend getting it tho (it's not on F-Droid yet, only on github). You can use LinkSheet to split the browsers in two: route common websites/"web apps" you use to Vanadium (e.g. webmail, banking, government ID, any sensitive stuff), and everything else (articles, web searches, other random links) to Cromite.
Some apps will need Play services. With Graphene you can install them in a sandbox, but I wouldn't install them (and don't install them) whatsoever on my main profile (in my region popular brands make phones that come without google services so most apps work fine without them). Only in a secondary one, and only if strictly necessary.
More pro tips: you can use KDE connect to get most Apple ecosystem features (e.g. sync clipboard, ring device if lost, take photo on computer from phone) on the same Wi-Fi. You can use Syncthing to sync photos and files. You aren't losing anything by using Graphene.
But in conclusion: With Graphene, you are not putting trust in anyone (well maybe except the developers, but it's open source). You decide what to do, the base OS is very secure and you can improve it further or make it worse. No big tech accounts, no proprietary clouds, no weird exploits every few months.