Graphene OS: Graphene OS is the absolute GOAT when it comes to secure operating systems, it is a flexible system that can be used in a myriad of fashions and in almost all threat models. Graphene OS can be used as a privacy-respecting FOSS smartphone, a typical smartphone with GAPPs installed, as a near-dumbphone with only a few apps and no browser, or as a mobile alternative to Qubes with up to 32 user profiles. Graphene OS can run on phones, tablets, and even in a lapdock/deskdock setup. Graphene OS is built on top of AOSP, which is already lauded for its strong security through sandboxing and verification, and improves upon that security with state-of-the-art exploit mitigations and measured boot. Graphene OS is the absolute GOAT with little-to-no compromises.
AOSP: AOSP is a great second option compared to Graphene OS, however a good AOSP build is hard to get a hold of. Lineage OS isn't great because they use userdebug builds, which adds attack surface, exposes root over ADB, and weakens SELinux policies. Many alternative operating systems for Android handsets are based off of Lineage OS, and can be assumed to come with these shortfalls. Not to mention, along with the weakened sandboxing and exposed root, Lineage OS doesn't provide a verified boot setup by default. To fix Lineage OS users would have to build their user builds, and sign them to be used with verified boot (assuming the handset supports proper verified boot with third-party operating systems, which many don't). Many alternative operating systems in the Android world are built off of Lineage OS, and inherit some (or all) of these problems. Many of these systems also contain privileged software that increases attack surface. TLDR: Just build AOSP yourself or use Graphene OS.
With those points in mind, AOSP by default is a secure system to use. All apps are sandboxed by default as different users, seperated on a kernel level via different UIDs for each process. SELinux further locks down these processes by enforcing Mandatory Access Controls for all processes, even those running as root. No process has more permissions than aboslutely required to function, this is what we call the principle of least privilege. If you've ever noticed permission toggles for every application on Android, that's due to security features like SELinux making sure that process is locked down to the absolute bare-minimum needed to function. Beyond god-tier sandboxing, Android also requires all applications to be signed by their developer, which can prevent a man-in-the-middle attack from serving a malicious app update. The only way an app can be maliciously updated is if the developer's signing keys were leaked. All Android devices are encrypted by default, which is handled by the Trusted Execution Environment and hardware keystore to prevent unauthorized access. This means that not only are files unreadable at a cold boot, but the phone should be protected against most attacks on the encryption (assuming you have the latest security patches). Finally, the last piece that ties everything together, Verified Boot. Verified Boot ensures a valid root of trust from the hardware, to the bootloader and the kernel, to the boot partition, and all other partitions. Verified Boot ensures that on reboot, your handset is in a clean, safe state. The amazing thing about AOSP is that, on a daily basis, the user doesn't notice these features or design choices. Everything is tied together to work seamlessly, so the user doesn't have to think about it. AOSP is a strong choice to consider if Graphene OS is not an option for you, and will provide strong security for daily usage.