Now in grapheneosin the updates settings it allows you to apply Google's upstream security patches, but grapheneos is forbidden from releasing the source code for these until a certain time later. You can read more about it on their blog. I have them enabled. At least I can rest easy knowing the Grapheneos Devs are able to inspect the code on users behalf even if they can't yet release it.
Will Graphene release the patches concurrently with Google? If there's a lag, then then Graphene is a tiny bit less safe in terms of one-day/n-day bugs.
Not having the source of the patch adds some friction to all attackers, but reversing vulnerabilities from binary patches has a long history.
For the security preview channel where they have to withhold the code until it's officially released yes that comes out with/days after Google releases them publicly.
They generally patch much faster than Google.