As Moxie Marlinspike once said, the fine line between facism and social democracy is choice. In order to exist in certain social groups, you have to expand your scope of choice to be able participate. In my experience using TextSecure/Signal for a decade and having convinced all of my friends/immediate family/significant others to use it, the majority of new people that I have encountered even with Signal installed on their phones, do not use it. It's unfortunate, but most people only care about privacy to a certain degree, if at all. What I usually do is bite the bullet with SMS for a bit. If things are going somewhere, I eventually convince them onto Signal. If things don't pan out, then not too much damage done.
The reason that Graphene doesn't do this is because the device is no longer receiving upstream security patches for firmware, bootloader, etc. If all you care about is privacy and simply having a deGoogled device, then by all means. But, security-wise, you are potentially running a vulnerable device. ROMs like Lineage and Calyx continue to roll the security patch counter, but aren't actually able to apply patches to those components. Security-wise, microG is also not an implementation I would recommend. Thus, Graphene is probably the only one I would recommend.
I've been using Knoppix for this purpose for like the last 2 decades.
Could not have said this better.
Brave uses Chromium code, but it is not a Google product. And I believe you are conflating security and privacy. The Chromium codebase is in fact more secure than Firefox in many areas. There is only so much hardening you can do security-wise before you are limited by its codebase. From a privacy perspective, though, you can definitely make the argument against Google. Brave, however, removes/replaces most of the Google stuff.
There are a couple of reasons. For starters, the applications and all of their files/dependencies are contained in a single location, making them easier to manage/remove and help avoid any dependency hell. They're distro agnostic, which makes it easier for developers and distro maintainers to troubleshoot. The applications are also somewhat sandboxed, which essentially doesn't exist otherwise on any distro. Not a perfect solution by any means, but I install all of my main applications this way. Permissions can be further tweaked/restricted with Flatseal. Only thing I'd be wary of is installing any Chromium-based browser this way as it replaces Chromium's layer-1 sandbox with Flatpak's, which is inherently weaker.
The Signal protocol (née TextSecure protocol) was created by Moxie Marlinspike and Trevor Perrin and Signal messenger (née TextSecure) was built from the ground up with e2ee. WhatsApp was acquired by Facebook without e2ee and Moxie later worked with them to integrate the Signal protocol for WhatsApp. Hope that clarifies.
Yeah, updating every 3 years is not something that everyone can afford. Newer Pixels are up to 5 years of security updates, though. Hopefully they can keep pushing this limit.