> Without security updates, you really shouldn't rely on a phone for banking/payments/secure messaging. Google has effectively killed the Pixel 3 for real usage.
There is a lot of real usage which is not "banking/payments/secure messaging". Besides, stopping security updates does not mean the phone suddenly becomes open to the whole world. Many vulnerabilities might be exploitable only when running code natively on the device, or only when within radio range, or only when plugged directly to the USB port.
> Unless maybe you count email as secure messaging in some way
I would say yes, considering email is often used as a primary means to reset account passwords. Most services support MFA (which could be somewhat of a mitigating security control), but a LOT of services still don't.
There is a lot of real usage which is not "banking/payments/secure messaging". Besides, stopping security updates does not mean the phone suddenly becomes open to the whole world. Many vulnerabilities might be exploitable only when running code natively on the device, or only when within radio range, or only when plugged directly to the USB port.