How far off of AOSP is CalyxOS though? Given that most Android users are running unaudited carrier & OEM modified ROMs that rarely see updates, a ROM that is very close to upstream AOSP is apt to be much more secure.

Nevermind that many of the apps that Google ships as part of Google Play are not receiving security audits outside of Google, Google is not committing to regularly audit their apps or publish the results, and these apps function as black boxes on your phone, with privileges that most other apps do not have.

Open source software has a better security track record than closed source software run by billion dollar corps.

Does it though? Have you looked at the vast number of vulnerabilities introduced into the Linux kernel in the last 3 years?

>Many people run their entire lives off of their phones

This is the real problem, not the lack of security audits.

Being concerned is being rational just the reality of it that's depressing.