Most of that is solved by installing a ROM that’s not user hostile, keeping it updated of course, and using the phone strictly as a purpose specific device.

That means you run a trusted VPN on it so HTTP/S and DNS concerns go out the window.
Sandboxed processes, blocked JS? Fine if you only install what’s necessary and don’t use the web browser. JS blocking is not a huge hurdle though, ublock does it with just 2 clicks.

Then if you have pegasus, the only way for security is to reflash the A/B partitions, both. Factory reset is not secure as it will keep what is already in the system partitions.

That’s right but I don’t think that this is enough. If the Pegasus malware (package) really is able to do that many things, it’s a walk in the park for it to modify any of the partitions, including that which contains the modem, or just data like the modem’s IMEI and MAC addresses.
In the cause I would either restore a backup of all partitions, or throw the phone away (not literally).

The firmware is protected and signed by the vendors, so it is likely clean.

Except if they patched the verification mechanisms of the OS.
Also, the firmware may be protected, but what about data partitions which are read by vulnerable software.

This makes them poorly pretty expensive. I think a slightly outdated GrapheneOS phone is okay though.

Are you sure? My 6 years old phone still receives LOS updates