Hardened_malloc function is in Linux kernel, and so it is part of every single Android device since years now.
MTE looks like some memory overflow protection, but that comes in the form of various functions. It is not a fancy thing limited to Pixels or Chromium browser. Memory protection is such a standard thing in software, I am not sure how MTE specifically is some form of USP. Also, let me tell you that all apps in Android basically run sandboxed, as far as memory goes, and now with SAF, even storage permissions are restricted by default.
There are only 3 things they ever did on their own as extras, and even they have basically no value in the grand scheme of things, them being offering:
instead of 16 character, 64 character password limit on lockscreen
PIN scrambling
Morula method of exec spawning instead of Zygote method used in most AOSP projects
Now, I will elaborate on these 3.
Elaborating on first one, it is kind of useless as you can see for obvious reasons.
For second one, you already understand why fingerprint avoids the issue of someone peeping at your PIN/password entered across your shoulder. Fingerprint is infinitely superior. Even more so with Android and iOS both offering biometric Lockdown features.
This one is somewhat half credible, but the goal is to destroy the memory blocks used by an app after it is exited, so that memory blocks do not retain essential text strings of data to exploit. For this, you can just go to Developer Options and enable “Don’t keep activities” and it will achieve the same effect as Morula method of exec spawning implemented by GrapheneOS.
So out of the 20-30 features GrapheneOS claims they developed, basically everything is either a modification of app permissions or firewalling or AOSP feature rebranding. You can do these things on any non rooted Android device.
Also, as you may have famously heard about “Sandboxed Play Services”, it is not developed by GrapheneOS, but a project called ProtonAOSP, whose developer is kdrag0n. GrapheneOS took that and rebranded it as their own developed thing.
I am not too interested in their buzzword self-circlejerking campaign after I observed this, in addition to the drama they invent via sockpuppets or otherwise to stay relevant in privacy communities.