[dmitrygr]

I have really, really, really bad news for you about any modern SoC, including all those by Qualcomm. Their ROM private keys are widely available to the three letter agencies. Your OS, while cute, provides no protection at all to anyone who has physical access. Secure boot root keys give away the whole kingdom

[t0bia_s]

Please explain how would you acces to encrypted data on turned off GOS device with locked bootloader.

[trumpdong]

Ask the owner to come in and unlock it if they ever want it back.

[t0bia_s]

That is not an answer.

[akimbostrawman]

Secureboot keys do not give away any data on the encrypted "cute" OS. At worst they can attempt an evil maid attack but why bother when they can use any device of the same model.

[trumpdong]

The disk is encrypted. They might be able to install a backdoor but they can't get the data.

[dmitrygr]

Backdoored OS installed. Device returned. Wait.

[akimbostrawman]

Why bother with that when they can replace it with any backdoored phone of the same model.

[Hizonner]

There are no "ROM private keys" in Qualcomm or most other chips. The root of trust is fused in by the OEM. Apparently the exception is Apple.

They would have to individually steal keys from every OEM, in GraphenOS' case meaning Google. Then they'd have to do the right dance to fake the right stuff to satisfy the Secure Element(TM) and get it to let them use the data encryption keys. Which, by the way, I believe requires forking over a hash that may vary among individual phones; you have to know which version of the appropriate stage you want to fake.

... and you'll excuse me if I'm skeptical of your confident statements about what TLAs do or don't have access to, especially when you start talking about keys that don't exist.