Some apps resist being backed up. “android:allowBackup=false” was one way. Apparently that can be overridden, but there are other ways apps can resist backup that can’t be overridden. It’s not clear what those are, but some of my apps definitely aren’t being backed up by Seedvault, even though they aren’t using keystore.
The apps using keystore can only ever be backed up by installing a backdoor in the TEE.
What is your strongest example of an important thing that can’t be done on GrapheneOS because of its boot/loader security?
Comprehensive backups, which can only be done after rooting. You can do this, but only after disabling verified boot.
In theory Seedvault covers this. In practice…well I dunno, ask me again when I get my next phone. I’ve not had the opportunity to properly test it.
Some apps resist being backed up. “android:allowBackup=false” was one way. Apparently that can be overridden, but there are other ways apps can resist backup that can’t be overridden. It’s not clear what those are, but some of my apps definitely aren’t being backed up by Seedvault, even though they aren’t using keystore.
The apps using keystore can only ever be backed up by installing a backdoor in the TEE.