https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
IMHO, it could be worth the fight if GrapheneOS could win their (rather legal/lobbying) battle to obtain play integrity certification by following security closely (which is a joke IMHO because EOL phones with not updates for years also get integrity). Google releasing easily diffable security only bytecode sets, seems like a security nightmare for everyone else.
All of those distros suffer from the reliance of Google to release anything, so they in one way or the other they play the game. Particularly Lineage heavily does 'self-censoring' to comply without much benefit IMHO. We really would need e.g. does not even include the keys for providing alternative web views or the ability to switch the location provider. While google has those capabilities, they only support services sending data to their own servers.
I used lineage as my daily driver since the CyanogenMod days and the HTC desire, but switched to a Google Pixel a few month back, because I felt I had lost the play integrity fight and although my great Redmi Note 10 Pro was running other like a charm thanks to lineage and the device maintainers (Daniel and Aryan), I personally could not invest time and cognitive capacity anymore.
More and more device manufacturers are locking down their bootloaders again. I hope someone can break the momentum and finds a way to break the OS duopoly.
> does not even include the keys for providing alternative web views or the ability to switch the location provider.
Trusting third parties with this is a privacy and security risk. GrapheneOS uses our Vanadium fork of Chromium for the WebView and LineageOS has their own builds of Chromium for it. We provide our own network location implementation using a semi-offline approach based on Apple's location service. We plan to add fully offline support for both Wi-Fi and cell tower network location via downloading regional databases. SUPL is essentially obsolete for GrapheneOS since all supported devices have PSDS and the network location service is already used to help accelerate GNSS when enabled, so we could just remove that instead of making our own SUPL service based on the same data.
We're making progress in fighting the Play Integrity API but governments and regulators move slowly. Courts also move slowly but we haven't brought it to a court yet and would prefer not having to do that. We would greatly prefer if Google worked it out with us and other AOSP-based operating systems but it doesn't appear there's much chance of that ever happening. It's strange since we were never hostile towards them, earned them a lot of money via hardware sales and made substantial upstream contributions.
A major Android OEM is working with us because unlike Google, they're able to see the significant benefits of working with us and selling a lot of devices based on it once they have official GrapheneOS support. Google could have worked with us and others instead of the path they're taking. They could have sold a lot more Pixels by opening up the devices more and improving them. Instead, they'll sell a lot fewer Pixels than they could have as one of the main reasons people buy them goes away. A lot of people who bought them and used the stock OS still bought them because they knew they could get first class support for another OS. They're shooting themselves in the foot. Our userbase will be buying devices from another OEM instead once they meet our requirements.
See https://discuss.grapheneos.org/d/24134-devices-lacking-stand... for a more detailed explanation.
Like "gluing" two phones together - just better ;)
It would be great to run an open OS but having to carry a separate phone for banking/paying is not really a viable option.
The excuse of "security" or "it's for the children" is complete BS, because it's about "them" having unwanted and total control.
Or just leave the possibility of easy unlock the phone and publish sources.
As did WileyFox - https://www.xda-developers.com/wileyfox-to-issue-update-to-m...
They were both budget brands with niche offerings. For most people, the source of the OS is immaterial. There's very little competitive advantage to selling a forked OS, and a rather large downside in terms of support costs.
I'm mostly happy with my GrapheneOS device - but it is absolutely not suitable for mass market.
What makes you say that? I run GrapheneOS on a Pixel and had to go through the relative simple flashing process, but if GOS came preinstalled on a device anybody familiar with Android (or even iOS) would be able to use it. Compatibility with Android apps is great too.
Lots of banking apps don't work.
RCS has only just started working.
No "Find My Device" support.
Permissions model is difficult to understand - even I struggle with it.
Standard launcher has tiny icons which can't be adjusted.
Pop on to https://discuss.grapheneos.org/ and see the struggles which users have.
"Find My Device" means the location of your device is constantly sent to and stored on someone else's computer (the "cloud"), and it is something that shouldn't exist unless that someone else's computer happens to be yours.
It's nearly the same permission model as Android 16 beyond having Storage Scopes and Contact Scopes as easy to use alternatives with fine-grained control along with Sensors and Network toggles. It's otherwise the same.
If you're talking about the exploit protection features with toggles, that's not part of the permission model and the defaults don't break any apps without serious bugs. Apps with memory corruption bugs can be broken by the defaults, which only requires turning on the compatibility toggle for the app. People don't need to understand the finer grained settings.
The default 4x5 icon grid has the same icon sizes as the stock Pixel OS, which can't be adjusted there either.
The vast majority of issues people have with GrapheneOS are issues with Android and Android apps which are not specific to GrapheneOS.
If people do not want to interface with those features, they can simply skip them, and the permission model will be the exact same as it is on Android.
As an alternative you can order a code generator but for DKB that requires a paid debit-card. ING disables the phone app if you use a code generator. You cannot have multiple 2FA.
Germany likes to think that they belong to cabinets and powered with internal combustion engines. Internet was a new land in 2013. So every user-friendly feature has to be shoved into Germany's throat by EU (especially banks and insurance). The usual reaction from German companies is to wait until the last moment and then hire a law / consultancy firm to implement required changes as badly as possible.
Looks like LineageOS supports various iterations of the Nvidia Shield device. What I'm wondering is whether this new Catapult launcher is compatible with Android TV that comes with off the shelf Smart TVs. I've grown accustomed to the default screen on my current TV's in-built Google TV (not Android TV, although I'm not totally sure of the difference), but it does enforce at least one additional click to get to the actual functions I, and the family, use it for.
Gonna check out Catapult right now.
Edited to add note: It looks as if the latest Nvidia Shield device requires soldering a USB port onto the mainboard of the device[0]. That probably excludes a decent percentage of people who may otherwise be happy software hacking a device.
[0]: https://wiki.lineageos.org/devices/sif/install/#usb-port-ins...
https://xdaforums.com/t/official-lineageos-22-for-amlogic-gx...
I think that a generic mini-PC would make more sense overall, but can Lineage be build for x86 at all?
Freedom & Features: LineageOS
That is not to say you have no freedom or extra features with Graphene, or no security with Lineage, it’s just what either project has very clearly as main target.
I do miss some features since switching to GrapheneOS (customizable on screen nav, volume rocker for cursor control), but I’m very happy with stuff like sandboxed google play services.
https://grapheneos.org/features is an overview of what's provided compared to AOSP but doesn't cover everything yet, especially recent additions.
GrapheneOS is more strict about security, making it more secure but less accessible (at the moment you can only run GrapheneOS on Pixel phones).
I am happy with GrapheneOS' policy: that's exactly why I use GrapheneOS, to the point where I bought a Pixel just for GrapheneOS. Many people complain about GrapheneOS not supporting other phones. IMO it's the other way round: the other Android manufacturers do not support GrapheneOS.
If you really want GrapheneOS to lower their security in order to run on another phone, what you want is actually LineageOS.
The hardware itself should never be trusted when being produced by a vendor like Google and cannot be verified on the component level. Their business model completely revolves in reducing your private sphere and sell it to others.
Never use google hardware if you are serious about security.
The reason GrapheneOS has an OEM partner we're working with towards their at least one of their upcoming devices meeting our requirements is because Pixels are the only currently viable options. If other OEMs were making reasonably secure devices with support for using another OS on their own, we wouldn't need OEM partnerships. The currently available devices from our OEM partner don't meet our security features or update requirements, but a subset of their future devices will. GrapheneOS will be officially supported so it will be easier to provide a fully production quality OS and we'll be able to do lower level privacy and security improvements at a hardware, firmware and driver level.
Their business model also does not involve selling data afaik, it's selling access to their adspaces [1] all over the internet including the ability to target people (based on information Google jealously hoard). They stand to lose just as much as most other OEMs if they did suspicious things in hardware just like Apple, Samsung etc.
If you're serious about security you will avoid using OEMs that have unfortunate patch gaps which leave device owners at the mercy to *known vulnerabilities* [1][2][3][4] as well as unknown threats which is fortunately one of GrapheneOS's many reasonable device support requirements.
[1] https://blog.google/products/ads-commerce/more-effective-med...
[2] https://srlabs.de/blog/android-patch-gap
[3] https://srlabs.de/blog/android-patch-gap-2020
[4] https://www.android-device-security.org/talks/
[5] https://techcommunity.microsoft.com/blog/vulnerability-manag...
If your threat model is that you cannot trust the Pixel hardware, then you cannot trust any smartphone or computer at all, period.
This doesn't mean the cheap device arrives without spyware, likely the difference is the spyware being monitored by chinese rather than US agencies so pick your poison. I'll pick mine.
This is just a strawman: Nobody claimed they were open hardware.
> Open schematics for a PCB don't make it any harder to hide a backdoor.
This is like saying that FLOSS doesn't make it harder to hide a backdoor. Of course it does.
So you are just attacking another FLOSS community with false [0] claims. This is suspicious.
[0] You can't say "extraordinary insecure" without specifying a threat model. For some threat models, GrapheneOS is less secure, e.g., https://news.ycombinator.com/item?id=45556788
Also, if I explicitly don't trust Google with anything, GOS is extraordinarily insecure for me until a new vendor appears.
It would be "more secure" to have a per-application firewall that blocks particular apps from outbound traffic over certain networks or to certain destinations. This prevents a malicious app from consuming roaming data.
LineageOS can have that, at the owner's preference. Graphene explicitly forbids it.
It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
There are many such examples. Lineage is philosophically owned by the person who installed it onto the phone. Graphene is owned by the Graphene devs, NOT the phone owner. Sometimes the Graphene devs purposefully choose to let software on the device restrict the valid owner of that device.
LineageOS can have that, at the owner's preference. Graphene explicitly forbids it.
Not sure what is meant by forbidding it? GrapheneOS provides per-app network access control via a user-controllable Network permission which is not implemented in AOSP or LineageOS afaik. They do not forbid using local firewall/filtering apps like RethinkDNS (to enforce mobile data only or Wi-Fi only iirc) and InviZible. They only warn that 'blocks particular apps from outbound traffic ..to certain destinations' cannot be enforced once an app has network access which makes sense to me.
>It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
Contact scopes, storage scopes, the sensors permission and the network permission are examples that show precisely the opposite (GrapheneOS prioritises the device owner over the application developers). To my understanding, the backup app built-in to GrapheneOS even 'simulates' a device-to-device transfer mode to get around apps not being comfortable with data being exfiltrated to Google Drive. That being said, I understand they have plans to completely revamp the backup experience once they have the resources to do so.
LineageOS has the same Seedvault backup system with the same limitations. There are few limitations left since Android 12's API level stopped apps opting out of all backups by redefining it as an opt-out of cloud backups and similarly redefined the file exclusions as only being for cloud backups. The new system supports very explicitly omitting files from device-to-device backups but it has to be explicitly specified that way and few apps do it. The problems with apps opting out of backups due to not wanting cloud backups for space, bandwidth or privacy reasons has been solved for several years now. It doesn't mean all app data is portable between devices, such as Signal encrypting their database with a hardware keystore key making it fundamentally impossible to do backups at a file level for it rather than using their own backup system.
See https://news.ycombinator.com/item?id=45562664 for a response to the rest of it.
These are not an android VPN provider and allow blocking traffic based on the combination of source app AND DESTINATION SERVER ADDRESS.
That's not true.
You can use apps like RethinkDNS providing local monitoring and filtering of connections while still supporting using a VPN on either LineageOS or GrapheneOS. GrapheneOS fixes 5 different kinds of outbound VPN leaks which are still present on LineageOS, which is quite relevant to this. There are no known outbound VPN leaks remaining for GrapheneOS as long as Private DNS is set to Off.
The reason GrapheneOS doesn't include the finer grained network toggles LineageOS does is because they're leaky and do not work correctly. Our Network toggle doesn't have those kinds of leaks. We do plan to split up the Network toggle a bit but doing that correctly is much harder and comes with some limitations since it still has to block generic INTERNET permission access if anything is disabled and only permit cases which are specially handled.
GrapheneOS has Storage Scopes, Contact Scopes, a Network toggle and a Sensors toggle not available on LineageOS along with other app sandbox and permission model improvements. Users have much more control of their apps and data on GrapheneOS.
LineageOS provides privileged access for Google apps while we take a different approach.
> It would be "more secure" to allow backing up apps and all their data. This would mitigate the damage of ransomware. Graphene, again, forbids it (following google guidelines prioritizing the wishes of an app's developer over the device owner).
That's also not true. LineageOS has the same limitations and backup system.
Both GrapheneOS and LineageOS use Seedvault with the same kind of integration. Since the Android 12 API level, apps can only opt-out of cloud backups and existing exclusion files only apply to cloud backups. There's a new exclusion system which can be used to explicitly omit files from device-to-device backups such as Google's device transfer system, but that's rarely used and it exists for good reason due to device-specific data that's not portable.
> There are many such examples. Lineage is philosophically owned by the person who installed it onto the phone. Graphene is owned by the Graphene devs, NOT the phone owner. Sometimes the Graphene devs purposefully choose to let software on the device restrict the valid owner of that device.
You haven't raised any examples of GrapheneOS restricting what can be done in a way that's not done by LineageOS. All you did is bring up a feature approached differently by both operating systems where the most flexible solutions such as RethinkDNS are available for both. If people want to modify either GrapheneOS or LineageOS, they can do it for each. We provide very good build documentation for production releases with proper signing. We strongly recommend against using Magisk but people do modify GrapheneOS with that projects and use it. Our recommendations are not restrictions on what people can do.
Graphene requires that I use google services (sandboxed) and does not PERMIT me, the owner of the device, to choose otherwise without compiling my own fork.
But they did share valid concerns about their reasoning and most other aspects of the OS certainly have a great focus on security.
iOS does not currently implement end-to-end encryption for RCS. End-to-end encryption for RCS is exclusive to conversations between Google Messages users. Apple has said they'll implement the new MLS end-to-end encryption for RCS but has not done it and has provided no timeline for doing it. It took them a very long time to implement basic RCS support and this will likely take a long time too. Google Messages has not yet moved to the new MLS encryption, but it will need to do that too in order for iOS implementing it to provide end-to-end encryption across them.
For now, I have switched back to iOS due to a significant majority of my contacts using iMessage, so I'm back to encrypted chats again. Hopefully the future of RCS changes things while America struggles with using a unified messenger. I dream of using a dumb phone with RCS.
[1] - https://grapheneos.org/releases#2025070700:~:text=only%20per...
Graphene OS was only available for a few Pixel Devices whose source was fully available and mainly focused on security features like improved permissions and more anti tracking features.
To give an example, a company I worked for shipped it's phones with a Lineage OS base with a few patches from Graphene OS to replace default ntp and connectivity check servers.
Which hardware should one get to run this? Which hardware is reasonably ethical? Perhaps the Fairphone 5? There are lots of choices from Motorola and OnePlus but I know nothing about them. (Well I remember the old Moto up to Y2k.) Not sure where to buy them.
If you want something cheap and easy instead of the Fairphone, the Motorola moto g 5G (2024) looks good. Supported by LineageOS 23.0 and also on the list of calyx devices, https://calyxos.org/docs/guide/device-support/#modern-device..., with vendor security updates till 2027 (though calyx is on pause, that's me only hoping the device list will still apply afterwards, would be an interesting additional option). Not available in my market though, or just hard to find with that name given the other similarly named motorola phones.
OnePlus 12R is one of the newest phones that is supported, and will get vendor updates until 2028. No headphone jack and no sd card slot though.
Ethical does not describe the OnePlus and Motorola phones. But anything used could be judged as such, since you then at least did not add to the garbage pile of unrepairable devices directly - but they are a bit new for that maybe. On the other hand, vendor security updates don't exist for many of the older devices (especially those from Motorola, they churn out new devices by the dozens and almost immediately abandon them), and the new EU regulations that force vendors to provide security updates only apply to new devices.
I see the Murena, which I think is the same hardware. But their page says the bootloader is locked. Hmm, think that's a no-go. https://murena.com/america/shop/smartphones/brand-new/murena...
Lineage has no account system. /e/ does, optionally.
Fairphone 4 and Pixel 6 were released in October 2021. Fairphone 4 is on the soon to be end-of-life Android 13 and already end-of-life Linux 4.19 kernel branch. Pixel 6 is on Android 16 QPR1 and the Linux 6.1 kernel branch since it moved to it from Linux 5.10. Fairphone has 1-2 month delays for partial security backports to older releases and years of delays for major OS updates. This does impact another OS supporting the hardware. Fairphone 5 is using the Linux 5.4 kernel that's end-of-life in December 2025 with no plans to migrate to a new kernel. Fairphone devices are missing the security features required by GrapheneOS too including but not limited to MTE (hardware memory tagging) which is the basis for Apple's recent launch of Memory Integrity Enforcement but has been more heavily used by GrapheneOS since October 2023.
GrapheneOS is a much different kind of project than LineageOS and other AOSP-based operating systems. The privacy and security focused comparison table at https://eylenburg.github.io/android_comparison.htm shows that quite clearly.
I used to run Waydroid directly on the phone, but the phone has terrible specs and Waydroid had become frustrating in the last few months, when it updated its LineageOS image to a new Android version. It would frequently crash or pop up an infinite series of "app is not responding" dialog boxes, even though whatever app it was was responding just fine. With my new VM + waypipe setup, Waydroid launches in ~10s instead of ~3 minutes, and everything is reasonably snappy despite now traveling over the network, so I'm happy.
I can't even fathom what the build system is doing in order to require this amount of storage.
A large number of 17 year old repositories, prebuilt toolchains, and the fact that you otherwise have every little bit of source code, intermediary results, and output to create a full operating system all in the same place.
As for the memory, the very first step (that basically already is the benchmark for the most memory usage) is loading the entire build tree and generating build steps. Yes, that takes 32GB of RAM, if not 64GB nowadays.
That being said buying a phone compatible with Lineage or Graphene (only Pixels for the latter) is well worth it. This will probably become even more important in the future if Google bans sideloading or complies with idiotic laws such client-side scanning of messages in some markets.
This requires both phones to use Seedvault though, so it's not an option when moving from the stock OS to LineageOS.
Lineage puts out all the patches that they can, every month, unlike OEMs. If current patches are important to you, this is your OS.
Lineage allows you to run it without any Google closed source code.
These are some serious advantages, depending upon what you are trying to do.
It has the same familiar look and feel on all devices and by experience is way snappier than the original ROM.
Phone is rooted with Magisk Hide and MicroG for spoofing google play services. Google Wallet does not work.
I just looked into this and in the US there's basically no technical answer that I'd expect to be reliable.
You've got a few choices:
* magsafe wallet (~$10) without nfc shield with a physical card
* "purewrist" prepaid debit card (would be good for a kid maybe)
* garmin smartwatch that gets linked properly like Google Pay would
If you're in the EU there are a ton more options, specifically "Curve Pay" and possibly "Amex UK".
Very annoying.
What does not work? An LG app to control an air conditioner.
Also I have to hide root from the roku app, which I use for the headphone because it works better than the headphone on the remote.
Super important stuff, no wonder they lock that down so much.
Ok I did skip one real thing for the sake of the funny. I can't do google tap to pay. That's about it.
This is all the same on a rooted standard rom as on Lineage.
I use GrapheneOS. Thankfully I've had few things not work. Google Pay being one of them, the other is the garage door (Liftmaster)[1].
I genuinely find it disgusting. Thankfully I rent the apartment (and attached garage) so I've never given them any money. At the end of the day there's literally zero justification for a garage door opening app to brick itself if it's run on a unapproved platform. The official[2] statement states:
"Our customers rely on us to make access simple without sacrificing quality and reliability. Unauthorized app integrations, stemming from only 0.2% of myQ users, previously accounted for more than half of the traffic to and from the myQ system, and at times constituted a substantial DDOS event that consumed high quantities of resources."
AKA "we are incapable of implementing a basic ratelimit. faulty third-party clients made our AWS bill go up a bit so we are going to go on an irrational crusade against third-party integrations of any kind and expend more resources doing this than would be spent by giving users a simple API to use"
[1]: https://xdaforums.com/t/root-detection-for-myq-apps.3858887/ [2]: https://chamberlaingroup.com/press/a-message-about-our-decis...
Not possible in many parts of the world where banks force you to use their app for basic banking functionality.
2 banking apps running fine.
I did the same with this "new" phone, that is going to be 5 years with me - since also got that only-two-years-of-updates thing, threw LineageOS on it and it's going as new.
So as I said the last time I saw a post about it in here, thanks to LineageOS I can use a phone for way more than they are set out to be forgotten. It's a great project and it's really sad Google are making things harder for them for the sake of "security".
LineageOS is, besides the fact hat it is more open for non google stuff, providing Android Updates for older devices. While this does not necessarily provide better security (rooted devices are often not considered as secure), you still get the newer Androids security patches and FEATURES. Furthermore you are more open to do what you want.
However LineageOS does to my knowledge not support bootloader re-locking on most devices, which might be a security risk (see https://grapheneos.org/install/web#locking-the-bootloader).
Unless you have a Pixel 6 and your security update goes missing?
(Didn't get the July security update and the October update is still missing? https://www.reddit.com/r/GooglePixel/comments/1o2bhur/where_... )
Android July 2025: https://source.android.com/docs/security/bulletin/2025-07-01
Pixel July 2025: https://source.android.com/docs/security/bulletin/pixel/2025...
Android October 2025: https://source.android.com/docs/security/bulletin/2025-10-01
Pixel October 2025: https://source.android.com/docs/security/bulletin/pixel/2025...
Not shipping an update in months when there aren't patches isn't a broken promise. They officially extended the Pixel 6 and Pixel 7 major updates from 3 to 5 years but didn't say they'd provide a release in months with no security patches.
Most OEMs don't provide the privacy and security patches properly from day one. Fairphone lags behind 1-2 months on partial backports to older releases and multiple years for major updates with the full patches. Fairphone 4 and Pixel 6 both released in October 2021, but the Fairphone 4 is on the initial release of Android 13 (not Android 13 QPR3) with an end-of-life Linux 4.19 kernel branch. Android 13 is approaching end-of-life too, but still receives partial backports for now. Pixel 6 is on Android 16 QPR1 and moved from the Linux 5.10 branch to Linux 6.1. Pixels get the security patches in the month they're released vs. 1-2 month delays for the Fairphone 4.
And I'm a happy graphene OS user.
And if Chat Control will be implemented in Google Android, then LineageOS also offers you a way out of that, which is a huge plus of course if you ask me.
Yes, I have a Pixel with GrapheneOS.
And it's a decently recent version with more-or-less official Nvidia Tegra drivers, too. For the variety of weird-but-ubiquitous devices that have a bootloader hack, LineageOS is the route to a working smart device that anyone can pick up and use.
I could never get adb in my M1 Air (Tahoe and Sonoma too) to detect any android devices.
I have an OnePlus Nord CE 2 Lite 5G.
Same cable and everything works fine on Ubuntu and Windows machines.
The phone is not getting detected in the "System Information" either.
Tried MTP, PTP, USB Debugging, OTG everything.
Anyone faced this issue?
As long as it'll be the case, Lineage will never be more popular.
But thanks for the great fork. It's already enormous.
> Yes, Google has pulled back here too. Pixel kernels are now only offered as history-stripped tarballs, available privately on request, with no device trees, HALs, or configs. Thanks to projects like CalyxOS, Pixels will likely remain well supported, but they’re no longer guaranteed “day one” devices for LineageOS. Pixel devices are now effectively no easier to support than any other OEM’s devices. In short, this just makes things harder, not impossible.
These fucking bastards. How far we have fallen in ~10 years of smartphone ubiquity. I have zero hopes that this monopolising trend will ever be reversed without top-down regulation from a big bloc like the EU.
I wish something could be done but sadly feels like regular people have to climb mountains to protect themselves while corporations just come in by front door with lucrative deals in order to protect their status-quo
The entrenchment via regulatory capture at the baseband level, with enormous state interplay with TSMC and Qualcomm (both economic and regulatory, both publicly known and classified), makes it impossible for a seriously independent actor to enter the market, exception _maybe_ an ubercapitalist like Musk or something.
I'm much more interested to see what happens when we achieve sufficient peace that industrial complexes are no longer the primary pillar of support for chip engineering and fabrication. I suspect that this will unlock the open development, up to the kernel and beyond, that we all hope for.
I’m skeptical, but the question is honest. Without the (quite corrupt) allotment of frequencies and broadcast radio tech by the FCC and government, I’m having trouble envisioning a future that doesn’t end up back at the bcm/qcm/etc. near-monopoly … just via market collusion rather than state orchestration. Is there a better future there that I’m missing?
There are pros and cons to "big bloc regulation". You can go and start a phone company since so many things are standarised but the main constraint will be who you source a modem from and the lack of choice will be because of patents (see Apple vs Qualcomm).
And iirc from the xda forums, even for Xiaomi phones with a Qualcomm soc it isn’t certain anyone will try to make a custom rom. Xiaomi just releases too many devices to have support for all of them.