European authoritarians and their enablers in the media are misrepresenting GrapheneOS and even Pixel phones as if they're something for criminals. GrapheneOS is opposed to the mass surveillance police state these people want to impose on everyone.

https://www.xatakandroid.com/sociedad/cada-vez-que-vemos-google-pixel-pensamos-que-puede-ser-narcotraficante-movil-perfecto-para-crimen-sencilla-razon

"Cada vez que vemos un Pixel pensamos que puede ser un narcotraficante". La policía apunta al móvil de Google como el favorito del crimen

Los Google Pixel son los máximos representantes de Android, con permiso de Samsung. Es por ello que convencen a los usuarios entusiastas del sistema...

There are ongoing coordinated attempts at misleading people about GrapheneOS and Signal in multiple European countries. A consistent pattern are completely unsubstantiated claims about exploits with no evidence. These are contradicted by actual evidence, leaks and their behavior.
GrapheneOS is not immune to exploitation, but the fearmongering done in these ongoing attacks on it is very clearly fabricated. They feel threatened enough by GrapheneOS to engage in coordinated attempts at convincing people that it's unable to protect their privacy and security.
GrapheneOS eliminates many classes of remotely exploitable vulnerabilities and makes the vast majority far harder to exploit. It even puts up a strong fight against attacks advanced forensic data extraction tools with physical access. See https://discuss.grapheneos.org/d/14344-cellebrite-premium-july-2024-documentation for an example.
Cellebrite Premium July 2024 documentation - GrapheneOS Discussion Forum

GrapheneOS discussion forum

GrapheneOS Discussion Forum
There's currently an example of one of these attacks on the project ongoing across Swedish forums and social media. This reached our forum at https://discuss.grapheneos.org/d/23535-unsubstantiated-claims-about-sweden-exploiting-grapheneos-with-no-evidence. An account pretending to be just asking questions goes on to pretend to be an expert citing non-existent sources.
Unsubstantiated claims about Sweden exploiting GrapheneOS with no evidence - GrapheneOS Discussion Forum

GrapheneOS discussion forum

GrapheneOS Discussion Forum
This same thing is currently ongoing across several Swedish forums and on social media. It's generally not in English which makes it inaccessible to the broader GrapheneOS and privacy community so they can get away with extraordinary, unsubstantiated claims much more easily.
GrapheneOS is not supposed to stop people installing malware and granting it invasive permission. It does provide alternatives to being coerced into granting invasive permissions by apps via our Storage Scopes, Contact Scopes and other permissions, but it's a user choice.
GrapheneOS similarly not supposed to prevent authorized access to data by someone with the PIN/password and access to the device. Rather, we provide far stronger protection against unauthorized access via exploit protections, 2-factor fingerprint unlock, duress PIN/password, etc.
Our features page at https://grapheneos.org/features provides an overview of how GrapheneOS improves privacy, security and other areas compared to the most secure Android devices running the stock OS. It's not immune to exploitation and cannot be. Products making that claim are scams.
GrapheneOS features overview

Overview of GrapheneOS features differentiating it from the Android Open Source Project (AOSP).

GrapheneOS
Not being immune to exploitation doesn't mean it can be successfully exploited in a given real world scenario. It's significantly harder to develop and deploy an exploit successfully. It can be exploited, but it doesn't mean it is happening especially at scale or consistently.
Having far from perfect security does not mean real world attacks including sophisticated ones will be successful in practice. Don't fall for security nihilism propaganda. We'll keep working on advancing security for general purpose computing devices. It will keep getting better.

Here's an article from Citizen Lab on how the Spanish government used exploits against political opponents in Catalonia:

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

Bear in mind even police using these will almost entirely be using them against people not convicted of a crime based on suspicion.

CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru - The Citizen Lab

The Citizen Lab, in collaboration with Catalan civil society groups, has identified at least 65 individuals targeted or infected with mercenary spyware, including members of the European Parliament, Catalan Presidents, legislators, jurists, and members of civil society organisations.

The Citizen Lab
@GrapheneOS
Which country would you say is the most safe and free?
@GrapheneOS The original post seems to be a classical FUD campaign. The thread opener is pretending to just asking a question about something he claims to have heard about. And sometimes just saying that you have heard something without any proof can be enough to sow doubt. The fact that this kind of posts showed up several times makes me think.
@NebulaTide They started off asking questions about something they say they've seen posted elsewhere. By the end of their participation in the thread, they're acting as if they're an expert and confidently making extraordinarily, unsubstantiated claims which do not check out. They claim to have sources which they completely fail to provide, and resort to posting search results not saying what they said the sources say. We think they posted the thread on the Swedish forum despite their denials.
@NebulaTide @GrapheneOS great usage of (probably) public money :)
@GrapheneOS a bank cio once told me: you don’t need the best security, the second worst is sufficient. Criminals always try to get the lowest hanging fruits. I believe the situation since then, 2006, changed
@Okuna GrapheneOS does defend against sophisticated attacks. It doesn't need to be perfect to do so. It only needs to largely be ahead of those and keeping them not working at all or at least not working reliably most of the time for it to generally not work and therefore not be very appealing. By default, we generate user-facing crash reports for memory corruption detected by hardware memory tagging. Users can also enable it for other system crashes. This is a major deterrent against attacks.
@Okuna We have much better exploit protections blocking many kinds of vulnerabilities from being exploited and making nearly all other remote / proximity vulnerabilities in the OS much harder to exploit. This combined with the risk of attackers burning their exploits through the user-facing crash reporting means they'd need to really want to target GrapheneOS enough to put lots of extra effort into development and risk losing both that and the baseline vulnerabilities/exploits if it goes wrong.