It has always been a hardware requirement to be able to unlock the device, install GrapheneOS and lock the device again. Verified boot has been a requirement since it was introduced for Pixels and the is main benefit of locking the device. There are additional security features enabled by verified boot. The overall hardware requirements are listed at https://grapheneos.org/faq#future-devices.

Unlocked baotloaders are mandatory to install graphene, but so is the ability to re-lock the bootloader.

You always have to temporarily unlock your bootloader to install graphene.

The key point is being able to lock it again after installation.