Great, so this means that the only way to get an Android release that's up-to-date on security patches is a binary-only distro - either Google Pixel, or the GrapheneOS preview channel.

Just wonderful. Google should know better than this, shame on the other OEMs that forced this mess.