Practically? Basically none at all.

If someone got physical access to your phone, they could install another OS without your knowledge.

Malware could over write the bootloader allowing it to sit unnoticed forever.

The way I understand it is the bootloader is built in security on the soc itself similar to tpm? In some regards phones are safer than computers in this way. If you leave your laptop out someone can tamper with the os, same with an unlocked bootloader. Safe from governments you shouldn't use a phone if that's your worry.

I don't even have a lock on my phone

That's ultimately for you to decide. No one here can tell you whether or not it's likely that someone will gain unsupervised, physical access to your phone.

Its been a while since I used LineageOS on my OG Pixel (sailfish). I remember you have to install the custom bootloader like TWRP to flash the ROM and there was this thing with A and B partitions. Not sure if things change....

With an unlocked bootloader, whoever gets your phone can do the weird Vol Up + Power button combos to flash enter the TWRP bootloader. I couldnt recall correctly, but it is possible they can view / delete your data right within the TWRP screen. Not sure about transferring them off of your device.

OTOH, a locked bootloader wouldnt allow you to do this. There is no way to enter a flash a different ROM.

The thing with unlocked bootloader like LineageOS, especially in my case an OG Pixel, is that you can still flash the official Pixel OS in case Lineage starts to mess things up. LineageOS leaves the bootloader unlocked, so you can still flash.

I'm talking about the case where your phone is completely bricked, i.e. cannot open phone. So you can just use platform-tools to reflash. With Graphene, i guess it is more difficult in this case?

If someone gains access to your device they could alter or replace the OS without your notice, called an evil maid attack.

If the bootloader is locked, they'd have to have the phone OS booted and screen unlocked, then unlock the bootloader, which wipes the device.

If you have to ask, then you aren't important enough to actually be worrying about this kind of thing.

If you were that important, then you would already know the answer to your question.

This is relatively minor. The bigger risk when running a downstream OS is that the team does not have the finances, the staff, or the broad-ecosystem visibility to support their own security research and development in any functional capacity, and there is an unavoidable delay in integrating security updates from the upstream OS.

This is a big problem. It makes running any small-team derivative OS a high-risk choice.