Idk about GrapheneOS in particular but I find the sandboxing solutions for GNU/Linux like bubblewrap to be much more granular than standard Android.

“give us access to manage phone calls or we won’t you me answer internet calls (which have nothing to do with actual SIM calls)”, “give us access to all your files or we wont let you share that file via the share function (which doesn’t need fs access to work)”.

On GNU/Linux I can only give a program exactly the resources it needs, I can disallow dbus, I can block it from accessing potentially troublesome things like /dev/dri, can overlay filesystems and pretend that’s my real home dir. Or can just mount the whole / to some other system.