Privacy is when nobody is looking, whether that's because they cannot look or because there's nobody that looks.

Security is the former: actively denying someone or something the ability to look in a situation where they are trying. GrapheneOS does that by encouraging a locked bootloader (preventing physical attacks) and letting you deny sensor access (preventing malicious apps from accessing unnecessary info), for example. I think we agree so far?

But you can also have privacy by just not installing apps that violate your privacy. Such a device could be as open as any Linux laptop where you log in with root:root. It lets you do whatever you want and access whatever you want. It's yours through and through. That's freedom without security, which may or may not have privacy depending on who you let look: if you leave it unattended at a hacker conference or have sshd with password login enabled, yeah that won't stay private for very long. But that's your choice right? You can just not invite anyone in or, in this example, bring it to someone who would do something malicious

An official GrapheneOS release has a lot of features baked in against actively malicious actors (be it apps or people at border checks), but users need to work within the boundaries and limitations of the sandpit that's provided to them. They're not granted much freedom, and that limits what privacy measures you can enact. Making a backup of /data, modifying firewall or traffic routing rules, signature spoofing to substitute an untrusted app with a trusted implementation, intercepting and faking Android API responses... a lot of things are off-limits: you don't have the freedom to shape the environment to suit your needs, for example to create privacy or security

The axes (privacy, freedom, security) all influence each other, but they are still separate enough that you can have one or two without the other. I can see what you mean if you say that your threat actors are skilled exploit developers and you can't have privacy without also thwarting these constant attempts. (Paranoid as that may sound, I'm sure it's true for some people.) Most people would gain more privacy from doing something about the pervasive adtech than about exploit developers they're not likely to run into. For them, LineageOS could be more private and provide more freedom while being less secure in some ways (e.g. they need to watch out which processes they grant access, for example something claiming to be backup software that turns out to be ransomware) and more secure in others (e.g. data availability by getting to make backups)