My phone isn't my email server though? It's not exposed to the public internet. It connects outwards but you can't simply connect inwards to the IMAP client

You can invert your logic as well: Why care about security without privacy? If your apps are leaking everything to the internet, what's there to keep secure. One could argue this is the essential dependency, not the other way around, since security depends on the threat model but, without privacy, there's no more secrets

> I think you're talking about something like "freedom", here

In part, as well as a means to an end, yes. (GrapheneOS uses this as well, since without the freedom to bring your own OS, they couldn't run on Google's devices. I would think we all enjoy having the freedom to do what we want with our own hardware.) Note also the part where it says "provide fake data to tracking apps": that's privacy which GOS doesn't offer but a user root device / any desktop OS would