Self-scans reveal that Pegasus, an invasive and powerful spyware that can secretly control phones and track owners, might be more widespread than previously thought. It was discovered on the phones of everyday phone users.
From wikiHow: How to Check Your Smartphone for Pegasus Spyware
I haven’t checked, does GrapheneOS do reproducible/deterministic builds so that you could verify that the published release matches your image? The boot attestation should not be able to be circumvented, if you trust Google hardware to do what it says on the tin.
Here are the built-in tools for verifying authenticity, a project to reproduce builds, and a thread where the devs confirm reproducibility and other community members link the above.
TL;DR - Yes.
Thanks, interesting. I have used boot attestation but not yet Auditor. Hope to have some quality time reading up on the documentation in the coming three weeks.