Both are good solutions however if you’re on a supported phone I would pick GrapheneOS every single day.

CalyxOS (and the supported devices) expose you to a classic “evil maid attack” applied to phones. There’s also other privacy implications of mishandled stuff in CalyxOS.

If you want a detailed explanation read this https://lemmy.world/comment/4962467 and my comments bellow it:

As usual if you’re looking to have any security (Verified boot) GrapheneOS + Pixel phone is the only options. I really don’t get it how come people(…) are okay with having a phone with all their personal data and logins without verified boot. Stolen / lost phone and game over.

Doesn’t Android have file based encryption by default since a while now??

if someone can compromise your bootloader in an hotel or some other public place then they’ll get to your data either way once you turn on the phone. This is one very small and very important detail that all those tech youtubers pro-privacy, security and whatnot love to ignore as it is the really hard one that makes all the difference. Secure boot is a complex subject and it requires a lot of work and checks to make sure nobody tempered with your device and Graphene / Pixel are the ones that really give a shit about that (except for Apple that wants to block jailbreaking and pirated Chinese app stores at all costs).

switching to another ROM on a phone with non re-lockable bootloader is a downgrade from the stock ROM?

It depends on your goal. If you plan to have any kind of boot / data security and the device can’t be re-locked with an alternative ROM you’re essentially better with the stock ROM in a locked state. Now that’s kind of personal choice, I believe the instant damage done by someone stealing your phone and getting your data (because your bootloader was unlocked) is considerably larger than the privacy implications of running the stock / vendor Android. For what’s worth if you can root your stock Android and firewall everything that seems suspicious it might be better than running an alternative ROM without a secure boot. Even with an alternative ROM you can run into privacy issues, take for example here CalyxOS running on Qualcomm CPUs. What’s interesting here is that this issue doesn’t happen in Graphene because they’re actually better.