People can modify GrapheneOS however they want including making their own builds with the officially supported userdebug root support enabled. Open and free doesn't mean catering to power users with the official setup at the expense of everyone else. It doesn't mean sacrificing substantial privacy and security for niche aesthetic customization and other power user features. Defining freedom for devices as software providing more customization options for power users is strange. The freedom is from it being open source and any OS being permitted on the devices.

Devices built to officially support GrapheneOS MUST include first class support for using an alternate OS that's not the official GrapheneOS, which is part of our requirements at https://grapheneos.org/faq#future-devices. These requirements apply to official GrapheneOS devices in the same way as devices using a Google Mobile Services stock OS. Combined with the OS being open source, that's what gives people the freedom to legally and practically use/make forks of it with arbitrary changes.

Userdebug builds of GrapheneOS are officially supported, although we don't recommend using them on a production device. Setting ro.adb.secure=1 for a userdebug build does preserve most of the security as long as ADB isn't used, but not all of it. It still downgrades security when ADB isn't used since the changes to accommodate having root access and other debug features via ADB have an impact beyond when it's actually used. It doesn't destroy the overall security model in the way people typically integrate root access where a huge portion of the OS has it and it's accessible to apps in a persistent way.