You make claims like “that means one website can take over your entire phone” and I reject that. I know what these isolation layers do and I also know that they’re not going to make a difference in practice for the vast majority of people. For instance, same-site isolation, which you specifically mentioned, is not a defence against anything but CORS bypasses and maybe some memory leaks. Firefox not having it is suboptimal, but it’s hardly the end of the world. Just rather annoying to let them open themselves up to the risk of side channel attacks and such.

The Android sandbox is designed to sandbox entire binaries. That alone should withstand any malware that enters the phone, or at least constrain it within a sandbox. If that sandbox is broken, GrapheneOS itself is broken. There are CVEs and CVE chains to break out of that sandbox in unpatched version of Android and there are probably a few that are present but haven’t been discovered by the good guys yet, but that’s the part that prevents any app from taking over your phone. It’s also why rooting your phone is such a hassle if you don’t have an unlocked bootloader.

That’s also what Firefox is supposedly “crippling” by not using Googles process sandboxing API. That just shows that GrapheneOS assumes their sandbox to be broken to the point where every app is crippling their security by not calling the APIs used for process isolation.

The kind of browser protections you’re arguing for are defence-in-depth measures. They lengthen the kill chain of certain families of exploits by requiring more workarounds and making exploits less stable and efficient. That’s no doubt good for security in general, and I’m not denying Firefox has work to do here, because Google is ahead of them.

However, their browsing recommendations are only valid for their threat model. That includes “always disable USB”, “always hide your IP address”, “sacrifice RAM and performance for better ASLR”, “break API compatibility to enforce better malloc rules”, and tons of other modifications that are protections against the most advanced kinds of malware. Of any if this were a problem, the average Android user with their four month old copy of Chrome on their two years outdated Android phone would get hacked every single day. Writing reliable Android exploits is actually quite hard because every manufacturer likes to alter their ROMs in tiny but annoyingly significant ways. Your ROP chains don’t line up anymore, your kernel exploit needs to call a different method, the ROM comes with a different version of a driver for no good reason, it’s almost security-through-annoyance.

The protections Graphene provides are similar to those of an iPhone in lockdown mode (a severely underused mode, in my opinion, one that mainline Android should include). It protects against vicious malware that’s made by people with vast resources through several levels of defence in depth and sacrificing usability for security where necessary, to the point they call themselves “an operating system with Android app compatibility”. It’s why only GrapheneOS and the latest (well-configured) iPhone were shown to be resistent to hacking tools such as Celebrite. Excellent for journalists, human rights activists, and other potential targets of such directed advanced malware. Hardly a problem for the majority of the population whose malware exposure is “your WhatsApp is outdated click here to install WhatsApp.apk” and “download super gambler from the Play Store and Elon Musk will send you free crypto”.

For some perspective, compare GrapheneOS’ opinions on Gecko with those of DivestOS, which provides a more nuanced recommendation. They recommend their Mull and Tor for privacy reasons, despite the lack of the two isolation features GrapheneOS is so adamant about. They also mention dynamic first party isolation, which Firefox implements but Chromium doesn’t, and which even Vanadium doesn’t have a comparable implementation.

You said users should understand the risks associated with their browser choices, and I agree. I just don’t think the risk is as high as you seem to think. And no, I’m not developing an Android ROM, and even if I should, that wouldn’t make me more or less reliable on a forum like this. When it comes to browsers, my recommendation would be “use Mull for privacy against advertisers and data brokers, buy a Pixel and use Vanadium or buy an iPhone and put it in lockdown mode if you’re afraid of one or more governments”.