

A basic requirement most devices don’t meet is the ability to relock the bootloader. Other than Fairphone, Google Pixel and OnePlus basically no manufacturers allow unlocking and subsequently relocking the bootloader, which makes custom ROMs inherently less secure than stock. This keeps CalyxOS from most devices. LineageOS can’t be relocked and thus is able to support way more devices.
Others have pointed out more in-depth security requirements GrapheneOS specifically thinks of as mandatory (they do take security very seriously).
Trying to actually restore is the best way to ensure the backup works. But it’s annoying so I never do it.
I usually trust restic to do it’s job. Validating that files are there and are readable can be done with
restic mount
, and you’ve mentioned restic check.The best way to ensure your data is safe is to do a second backup with another tool. And keep your keys safe and accessible. A remote backup has no use of the keys burned down.