When comparing against something like a Pixel running GrapheneOS, it's honestly a bit more puzzling to me. Granted, I'm definitely not the audience for this, but with G_OS you can do most things that a regular phone can do, without taking several minutes to install Firefox.
As much as I love privacy (going as far as having a semi-random username), this phone is a bit puzzling. I hope someone can throw more light on this.
I'm not familiar with GrapheneOS but I assume it follows the usual model when repurposing Android devices of taking various closed source blobs (i.e. drivers etc) and rebuilding the open source bits around them? If so, this approach usually locks you into a Linux kernel version to remain compatible with the blobs which limits you on kernel features and fixes as well as who knows what exposure the blobs have to offer, which also will likely never get updates.
Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source. GrapheneOS only supports devices with proper security support for all the firmware, drivers, etc. and again there are no closed source kernel drivers. We can support pretty much any mobile device with alternate OS support since any serious one will have AOSP support. Most devices have lackluster security and don't meet our requirements. We're working with a hardware vendor to get a non-Pixel phone actually meeting reasonable security requirements.
Librem 5 has a bunch of components where they are not shipping updates. You have things very much backwards on that front. The Librem 5 does not come close to meeting the security requirements to run GrapheneOS. It has a bunch of poorly secured and insecurely configured legacy hardware often without proper updates available, components that are not properly isolated via IOMMU, no secure element or all the stuff that comes along with that (HSM keystore with a nice API used by apps, Weaver to make disk encryption work for users without a high entropy passphrase like 7 diceware words, insider attack resistance, working attestation not depending on hard-wiring hashes and a lot more) and many other things. The OS they use has a near total lack of any systemic overall privacy/security work or privacy/security model and only falls further and further behind. The most exciting feature for securing devices right now is hardware memory tagging support in ARMv9, but there are years and years of tons of important privacy/security work done in a systemic way across hardware/firmware/software which are missing there before worrying about stuff like that.
Marketing something as private/secure and spreading tons of misinformation and outright lies about the mainstream options doesn't make it secure or more secure than those. It's actually pretty funny that they mislead people about the isolation of hardware components like the cellular baseband in other devices when the vast majority of mainstream phones (iPhone, Pixel, Qualcomm SoC devices, Exynos SoC devices) have it done quite well when they don't. Strange that they get away with these games of misrepresenting things, hiding the fact that they still have entirely proprietary hardware and near entirely proprietary firmware for the SoC and other hardware components, etc. Hiding proprietary stuff doesn't make it go away. Not updating it doesn't make it go away and simply ensures a highly insecure device.
I ran AOSP builds for years and that's a half-truth at best. Sure for the kernel proper, you have the source. However, there are a fair number of closed source drivers for the GPU, modem, wifi etc. From the GrapheneOS Wikipedia page[1] it sure looks like they're following this model.
If I am mistaken and there is a miraculous state-of-the-art SoC with completely open source drivers being used by a major handset maker, do tell. You'll be a hero in the open source world for pointing out something everyone else has overlooked.
> Sticking to an LTS kernel branch for the lifetime of the device isn't due to anything closed source.
It has everything to do with things being closed source. Try doing a Linux kernel major version upgrade with binary-only drivers for key components sometime. It sounds like the only reason GrapheneOS works is because they're 'drafting' off of the kernel and driver work done by Google, not that they've cracked that particular nut themselves. Nothing wrong with that, but it does limit the useful life of a device to the first major security issue they can't fix due to a lack of source code.
Regarding the rest of your response, you're assuming that I was speaking to the Librem 5 specifically, I was not. Notice that I was only speaking about the goal of a 'pure' Linux phone since that was what seemed to be being asked about. Personally, I have a PinePhone[2] and wasn't interested in rehashing the various issues with the Librem 5.
[1] https://en.wikipedia.org/wiki/GrapheneOS
[2] which itself is far from perfect, but comes a lot closer to being a 'pure' Linux phone.