One idea is that the stock rom by Google may phone home even when locked. Perhaps with a malicious WiFi network, attackers can exploit the phone through a flaw in DNS or HTTP handling.

If GrapheneOS skips contacting remote servers like that, they would not be vulnerable.

It would be a story of Google prioritizing tracking over security.