I’m assuming GrapheneOS isn’t backdoored. If a new release were backdoored, I would have a non-zero chance to catch it while reviewing commit diffs, but the chance of catching it would be zero if I instead used auto-update and let the devs push whatever signed binary they wanted.

The fact that devs sign the builds doesn’t protect you from a Jia Tan type of actor. Jia Tan had social-engineered they way to a maintainer and then dropped their backdoor in the .tar releases. If you had compiled from the tree you couldn’t be affected. It’s possible to fail to review malicious commits even in this case, but it is still more transparent than pre-packaged releases. And there’s no point to reproducible builds if no one actually reproduces them.

Just the button: https://github.com/aureliendavid/rsspreview