How far off of AOSP is CalyxOS though? Given that most Android users are running unaudited carrier & OEM modified ROMs that rarely see updates, a ROM that is very close to upstream AOSP is apt to be much more secure.
Nevermind that many of the apps that Google ships as part of Google Play are not receiving security audits outside of Google, Google is not committing to regularly audit their apps or publish the results, and these apps function as black boxes on your phone, with privileges that most other apps do not have.
Nevermind that many of the apps that Google ships as part of Google Play are not receiving security audits outside of Google, Google is not committing to regularly audit their apps or publish the results, and these apps function as black boxes on your phone, with privileges that most other apps do not have.