Even alternatives like GrapheneOS relies on AOSP. I wonder if it's possible for regulators in certain countries to pressure Google to kill it in the future.

Even if that's not the case, I'd imagine attestation apps like banking apps would require some kind of identity verification in exchange for trusting Graphene's keys.

In principle it doesn't make sense to leave any escape hatch, but I guess as always, it boils down to economy.