The only Pixel I have is a Pixel 3XL which is not supported anymore for updates. A few questions. does that mean at some point you have to buy a new phone all the time? How long are they supported, do I need the buy the newest one everytime to have a decently long support? If I can install Calyx, but have already degoogled my phone, is Calyx still useful? But I suppose at this point it’s still better to get a Pixel anyway and install Graphene which is supposedly better? how risky is it to run an unsupported phone like my Pixel 3XL? What can happen?
What’s your threat model? What are your major security concerns?
A phone not getting hardware updates is going to be trivially targeted by physical attacks, such as celebrite.
If your phone isn’t getting updates from graphene OS, it probably won’t get updates from calyx os either (or soon won’t).
If you just want to keep the hardware working, for nonsensitive things, lineage OS is a great option. But it won’t be very secure
https://grapheneos.org/faq#device-lifetime tells you how long a device will get support and updates
Honestly I hate that question because who actually has an answer for that specific device and situation? Though you do provide a good breakdown