Where things stand
First time Replicant user here. I was aware of the project but only just got my teeth into it.
As I understand things presently, when it comes to security we have the following contenders:
Allegedly using phones with baseband/modem isolation (but as was seen in Replicant's Samsung backdoor discovery, who really knows)
High focus on security within the release itself, sandboxing apps etc
Aggressively up to date security patches of Both Android, Kernel, Manufacturer etc
Using non-free software (firmware) for the most part, which (and please anyone correct me if I'm wrong here) combined with the questionable modem isolation, essentially leaves the front door open, so regardless of how secure the inside is, if the front door is open, it's a problem from the get-go.
No interest in supporting 'legacy' hardware
Largely based on Graphene OS patches
Patches the mainline kernel even on vendor unsupported devices.
Keeps Android Up to date.
Still using non-free firmware but purging and keeping a lot of it to a minimum.
Entire purpose of the project seems largely about keeping legacy hardware alive
Outstanding work done on modem isolation , well above the call of duty. 'Front Door' as shut as its able to be within current knowledge
Free firmware where applicable, perfect, Excellent!
Keeping 'legacy' hardware well and truly alive
Massively out of date Android version, Kernel, Security patches and so on.
Obviously what we are all here for is our interest in points 1 and 2 of Replicant. Far be it for us mere mortals to whine and complain about part 4 when the amount of work that has been done by the Replicant devs is extensive and the results are beyond fantastic, and most of us have done nothing other than install the rom.
But the question does arise..
If we are using Replicant in its current release (6.004) (which as far as I can tell other than minor releases is unlikely to be updated to 11 for a fair about of time.) We are looking at 4 years out of date security patches, Android release, kernel and so on.
Lets take a hypothetical. Lets assume that the phone is being used for the following purposes only. Calls, SMS, and a xmpp Client. Web facing apps browser, email etc all removed. Not using wifi, not using bluetooth only using 3g Data.
How secure is the device? What threats are we open to? Do the heart-warming, soul elevating advantages of free software and an as closed as possible front door outweigh the consistent message that "up to date is critical, look at all these vulnerabilities" and so on.
Again, please correct me if I'm wrong about any of this and looking forward to hearing from anyone.