> But it is literally a less secure option, than what Graphene does provide, sandboxing the original google api itself.

Let's define "less secure" as "vulnerable to additional threat vectors when compared to another option".

If the operating system allows a verifiably signed MicroG in /system to replace Play Services, what is the threat vector that opens up? Keep in mind that I'm intentionally trusting MicroG more than Google, so anything that happens as a result of a compromise of MicroG itself is a trade-off for avoiding anything that happens as a result of a compromise of Google Play Services and so not "less secure".

Explain what "less secure" means in this context, please, because I don't get it and nobody ever have.

> Yes, if you can literally just start any OS from the hardware level, you don’t have security.

That's not how Samsung Knox works. It's verified boot.

Also, I don't care if any OS can start if any OS can't decrypt the encrypted root partition due to it using a TPM-held key backed by measured boot registers, and that's also possible on several phones.

MicroG means that there is a mechanism to spoof app signatures, which is a core security measure.

As I said twice, LineageOS allows the exact signature of MicroG to replace the exact signature of GMS (core google play services component).

An app signed as MicroG can't spoof anything other than GMS. Nothing with any other signature can spoof GMS. An app not signed as MicroG cannot spoof anything.

I'm unclear what the problem is here, because the desired outcome is MicroG replacing GMS and that is exactly what LineageOS allows, without allowing anything else.