The biggest difference I've found is which apps you can use from the Google Play Store. Calyx supports microG, which allows you to access the Play store via front-ends like Aurora. It also works with F-Droid, as mentioned below.
I also notice things like push notifications work just fine with Calyx, and not on Graphene, which I think is due to microG and/or Firebase.
I think there is some additional hardening that Graphene does as well.
If your goal is the most possible privacy and security, I'd go with Graphene. For a much-improved privacy, mostly non-Google experience, where you can still use Maps or your bank's app, I'd go with Calyx.
With graphene you can install sandboxed play services. Which allow you to run google play services without any system/root privileges, in the sane application sandbox as normal applications.
This is definitely superior to the mircog approach which means enabling signature spoofing for applications.
Why should I be concerned with the specific type of signature spoofing used by microg? AIUI it only enables signature spoofing for their specific keys, not applications/publishers generally.
What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
> What if I do not want to run Google Play Services at all (or any proprietary code from Google)? Can Graphene sandbox microg instead?
It might be able to, but AFAIK microg works by pretending to actually be google services, so it's possible it depends on the system privileges that google services usually has?
I also notice things like push notifications work just fine with Calyx, and not on Graphene, which I think is due to microG and/or Firebase.
I think there is some additional hardening that Graphene does as well.
If your goal is the most possible privacy and security, I'd go with Graphene. For a much-improved privacy, mostly non-Google experience, where you can still use Maps or your bank's app, I'd go with Calyx.