… is relative depending on how you look at it, and presents itself to me in theory and practice very differentiated.
In 99.9% of custom ROMs, the bootloader remains unlocked and thus offers an increased attack surface. But how big is the real chance that these gaps are exploited by malicious software and criminal elements?
I know of three Android device families (“I don’t want to mention it on your site)”) where the bootloader is relocked after installing a custom ROM . Fairphone is one of them.