Some of them are separate projects (eg. hardened malloc), also many of the implemented features later got merged by upstream AOSP itself. I think some independent audit also happened, but not sure about the details.
Nonetheless, the project has an absolutely stellar track record, where the main guy behind it even revoked the signing keys of the OS upon a failed for-profit company overtake attempt. The project doesn’t accept any for-profit company offers since then and is independent and open-source.
For the readers: the aforementioned "takeover attempt" has never been substantiated or validated. Using the past (and rather trite) CopperheadOS dispute to justify present misgivings is disingenuous.
Nonetheless, the project has an absolutely stellar track record, where the main guy behind it even revoked the signing keys of the OS upon a failed for-profit company overtake attempt. The project doesn’t accept any for-profit company offers since then and is independent and open-source.