GrapheneOS earned respect for its hardened Android security, with Cellebrite publicly acknowledging it cannot extract data from these devices. The kernel hardening, memory allocator improvements, and sandboxing work effectively. However, examining the project's server infrastructure reveals practices that contradict its security-first messaging.

Founder Daniel Micay stepped down in 2023 after conflicts with privacy community members, yet Canadian corporate records still list him as director. His personal GitHub account receives all project funding, and server configurations include his dotfiles—editor themes, shell preferences, and keyboard bindings. These personal setup files manage infrastructure serving approximately 400,000 users.

Every server runs Arch Linux, from dedicated boxes to DNS nodes, using rolling-release updates instead of stable distributions like Debian or Alpine. DNS servers contain full Arch installations with 42 packages including development tools, directly opposing the phone OS philosophy of minimizing attack surfaces. Containers use `pacstrap` to install complete Arch systems rather than minimal isolated environments.

Despite building a global network of over 40 DNS servers across 16 locations to avoid third-party dependency, all servers forward queries to Cloudflare via encrypted connections. The infrastructure moved from French OVH to netcup servers in Manassas, Virginia—placing user data under US jurisdiction with NSL and FISA court oversight. Signing keys remain controlled by the same individual, creating a single point of failure for the entire project.