If you decide within your threat model that you can use stock Android my recommendation is to get some thing that has a reputation of getting consistent updates, (Samsung and Google seem to be the best at this. But your mileage may vary) And once you’ve decided that, I would say debloat using ADB, use RethinkDNS for network firewall and once that is configured and you use privacy respecting apps although obviously, you would not be at the same level as GrapheneOS. You would be in a good middle ground between usability, privacy and choice of hardware. Definitely still better off in your average person and may be more than enough for your that model
While this is true, realistically I’d be reluctant on a recommending people with Aurora.
It’s a great piece of software and I am happy there is a way to get Play Store apps without login buts It’s been down enough
times where I had given up just use the Play Store alongside F-Droid & Obtainium. On stock android its not ideal but people do want their phone to just work.