Sinai "My mother knew my whereabouts, and practically everything I looked at online via my old android phone.", if that was the extent of her knowledge, it was most likely your google account.
A google account would have access to your search history and location, anyone with access to it can request this information (find my android, google search history in settings)
Your WiFi would NOT be the place she would get this information from, the router would have no access to that information. At most with a comprised WiFi router she could sniff any unsecured traffic, but thats the extent of it. Even a DNS attack would fail as soon as it attempts a HTTPs handshake and gets a invalid certificate. She could possibly sniff the IPs you connect to and try to match them with domains but I really doubt that and she still couldn't read the actual traffic itself.
By installing GrapheneOS without google services installed, you already have defended yourself from the most likely attack. I would just secure your google account further and add 2FA.
This is striking out physical based attacks, like installing malware directly when you weren't looking, but I understand that might be a stretch if its pincode locked and she didn't know the pin.
People are saying 'expensive gov agencies' because the actions you are taking are defenses from attacks your parents don't have the resources for. Its simple to do a DNS attack on a local network, its not simple to sniff HTTPs encrypted traffic and get anything meaningful from it.
Attacks you are discussing, like SMS (most likely referencing the IOS PDF CVE) or exploits in applications like WhatsApp are simply not reasonable for normal people. When these exploits become public, they are patched fairly quickly.
Your mom is not finding 0 day exploits just to track you. I assure you the simplest explanation is the correct one most of the time in cybersecurity. Your parents probably had access to your google account or similar service