I don’t know much about the creator of GrapheneOS. What’s the bad about them? I know they’re a little dogmatic, as security/FOSS folk can sometimes be, but I’ve not heard anything beyond that.

If you are either A) bootloader unlocked or B) using a custom ROM via an exploit, your system is freely open to modification by a physical attacker, regardless.