Endpoint security, IP-based GSM networking vs RIL telephony, isolation measures, ISP trust and fingerprinting mitigation, modem transparency, privledged baseband access and SIM vulnerability, to name a few big ones.
Again - Linux for desktops and servers can be great for privacy. For pretty much every single smartphone-based threat vector, it is a free lunch for attackers. We're talking off-the-shelf CVE exploits versus blowing a multi-million dollar zero-day here.
This is all very theoretical and unclear. For example, on Pinephone, the modem runs FLOSS software (except for a small blob managing the tower connections). Also, it's connected via USB, so there is no privileged access for it. I have no idea what ISP trust has to do with that. You can install Tor on the phone. And so on.
Again - Linux for desktops and servers can be great for privacy. For pretty much every single smartphone-based threat vector, it is a free lunch for attackers. We're talking off-the-shelf CVE exploits versus blowing a multi-million dollar zero-day here.