My threat model doesn't include Apple or Google, the maker of the operating system. If you assume they could push an update to the built-in password manager, you need to assume they could push a keylogger that exfiltrates both your regular password and the password for your TOTP app.
Fair enough. They're who I'm mostly worried about.
I've got the Google apps in a sandbox, so I think if they pushed such a thing they could only spy on my logins with them.
Not that I have supreme faith in GrapheneOS to keep google in its box on a device that google made, but I do hope that it represents enough friction that I get excluded as an outlier from whatever abuses occur.
