Do not accept the premise of assholes.
I hope we can get the EU to fund a truly open Android Fork. Maybe under some organisation similar to NL Labs.
--- edit ---
Furthermore, the need for a trustworthy binary to be auditable to a certain hash or something would make banning this a simple task if Google would want to go that route.
https://images.squarespace-cdn.com/content/v1/60f1421e1afcf4...
Several of those are the opposite of security features, like SafetyNet support, which might be a convenience in some cases but it mostly makes it so you can't upgrade certain parts of the system to newer versions even when the old versions have security vulnerabilities.
Here's the up-to-date comparison: https://eylenburg.github.io/android_comparison.htm
As far as I know, there is no significant features other distros have that increase their privacy or security over what GOS has. I'm not entirely sure about the SafetyNet thing, but GOS is by far the most up-to-date to the AOSP out of these distros.
Moreover, some of the stuff with green boxes is still kind of a privacy fail. For example, with GNSS (i.e. GPS) your device calculates its location from the timing of radio broadcasts emitted by a network of satellites. It has extremely good privacy properties because your device is a passive radio receiver and neither the satellites nor anyone else know you're there when you use it. "Network-based location" can sometimes work when you're somewhere you can't hear the satellites, but now you have Google or someone else building a database of nearby wireless APs etc. in order to make it work, and in the process you're effectively uploading your location to them.
Their objections in general seem to be fairly pedantic, e.g. objecting to a connectivity check which could be improved in a theoretical sense but in practice that shouldn't be leaking anything you're not already giving up by having a phone which is turned on and connected to a cellular network.
