A fellow wool maximalist gets an instant follow.

Yes: https://shop.lnbits.com/product/nsec-remote-nostr-signer

But this does not have a secure element, arguably graphene is thus more secure. On the other side that has a much larger codebase and thus attack surface.

tldr: No.

I'd say make selective backups of your important files, not everything since that might include the malware, and then go again through https://grapheneos.org/install/web and start over.

8s are fine, especially if you have it already or want the cheapest option.

Both 9 and 10 are marginal improvements in build quality, performance, battery, and they will receive updates for one or two years longer (standard is 7 years official support from google, Graphene usually supports even longer)

The Pixel 8's Tensor G3 chip pairs with an upgraded Titan M2 security coprocessor to isolate sensitive cryptographic operations, while introducing Memory Tagging Extension (MTE) support for runtime detection of memory corruption vulnerabilities and significantly hardening the cellular baseband firmware with bounds sanitizers, integer overflow protection, stack canaries, and control flow integrity to reduce what has historically been a major attack surface.

That's a major improvement compared to the 7 or earlier generations.

In February 2014, Apple removed the last Bitcoin wallet from its App Store without explanation. A decade later, the freedom technology community has built an answer: a complete mobile stack where no corporation can decide what you install, who you talk to, or how you manage your identity.

This post examines how @npub10r8xl... @npub1am3er... @npub1hqlxl... @npub142gyw... @npub1whtn0... on @npub1235te... deliver that promise, and why this matters far beyond the Bitcoin crowd.
@naddr1qqgr...

Yes, its explained there, super simple.
Settings > Security & Privacy > Exploit Protection > USB-C Port > Charging Only

To reflash graphene, just to the same steps you did to install it in the first place.

Yes, we desperately need freer hardware, and I'd probably switch to an alternative if that would exist.

Bisq, vexl, robosats, friends.

There is no other hardware with a lockable boot loader and secure elements.
They are working with a second manufacturer at the moment.

Don't let perfect be the enemy of good enough.