Would be an interesting experiment actually: how long would it take for the community at large to discover a backdoor in graphene OS if added sneakily by generally trusted Devs, ie the org that maintains it.

Or, phrased differently, how much independent auditing is graphene OS subjected to?