I agree with some of your facts but not your conclusions. I see why people want to use GrapheneOS. I respect and admire the security efforts of the authors of GrapheneOS. The users of GrapheneOS may have totally legitimate security requirements that lead them to choose it. But if Netflix doesn't want their program to run on GrapheneOS, isn't that their business?
Netflix wants a hardware attestation API to prevent abuse, GrapheneOS can provide that API abstracted through the integrity API, but Google won't authorize it.
This, but notably also: the hardware attestation API will report a device as fully locked down and secured even when a device is infected with a sophisticated-enough piece of malware. Plus, in the past manufacturer keys have leaked but keys have not been revoked.
Hardware attestation is quite useless when a device that hasn't received a single security update in four years is considered safe, but a locked-down ROM implementing everything Google has invented and more is considered dangerous.
