The Gotcha Math on Android ROMs

Since people are recommending CalyxOS and microG as alternatives to GrapheneOS with sandboxed Google Play Services, I want to point out an important aspect of microG. Anybody who is considering microG should be aware that it relies on signature spoofing:

https://github.com/microg/GmsCore/wiki/Signature-Spoofing

CalyxOS does attempt to mitigate this potential security issue:

https://calyxos.org/docs/tech/microg-details/

However, even with mitigations, microG still relies on introducing a potentially exploitable security hole that doesn't exist with sandboxed Google Play Services.