What data can an app collect from a phone running regular Android vs GrapheneOS?

One practical way to think about it is: - On an up-to-date regular Android phone, a normal app is already sandboxed from other apps’ private storage, and it should only get contacts/location/files/camera/mic/etc. if you grant those permissions. So it is not a total free-for-all. - The bigger things to check are the special permissions: Accessibility, notification access, device admin, VPN, install-unknown-apps, SMS/phone permissions, and broad file access. Those can change the risk a lot. - A separate Android user profile or work profile can help keep government apps away from everyday apps and accounts, but GrapheneOS gives stronger and clearer controls (separate user profiles, sandboxed Google Play, network toggle, storage scopes, and generally less privileged Play services). So for a regular Android phone, I would at least use a separate profile/work profile if possible, deny every permission that is not strictly needed, keep the OS updated, and avoid granting Accessibility or device-admin unless there is no alternative. GrapheneOS is the cleaner option if you can use a supported Pixel, but a current stock Android phone with careful permissions is still much better than an old or unpatched phone.