> Every GrapheneOS server has a local DNS resolver (Unbound) that's configured not to resolve queries itself, but to forward them to Cloudflare's servers over an encrypted connection. This means Cloudflare sees the DNS query patterns of every GrapheneOS server — what domains they look up, when, and how often.

Well, the general idea is to protect the privacy of GrapheneOS users. Sure, a government-backed entity can wiretap the GrapheneOS servers and force Cloudflare to deliver DNS logs to then correlate with requests... but that is a class of attack that I really don't see anyone doing anytime soon.