GrapheneOS and a Pixel. Sounds exactly like what you want.
Alternatively, a Fairphone with CalyxOS.

Both are more secure and private than a stock Android phone.
GrapheneOS would be my recommendation.

I used Calyx for a year and recently switched over to Graphene. Calyx was great for the time being, as it focused more on usability, when GrapheneOS didn’t even provide push notifications and was needlessly secure for my threat model.

But now, GrapheneOS is even more compatible and complete than Calyx, while more secure.
It’s very barebones by default and Google services are optional and sandboxed + strongly restricted.

I would get a newer Pixel model in your case. I bought the Pixel 5 and somewhat regret it, since it hit end of support.

Or, you could buy a Fairphone. That would be more sustainable, since you can modify and repair it easily yourself, and it has a super long warranty and support.
GrapheneOS sadly does only support Pixels, but Calyx the Fairphone too.

A used Pixel with GrapheneOS is a great option. The install is very barebones, and it’s basically the most privacy you’ll get with a modern smartphone without restricting its ability to be a smartphone.

Great to see people care about their privacy, especially on their mobile devices, as these are often the worst in regards to privacy. GrapheneOS is definitely the best choice, other options are not worth considering. I absolutely recommend against the Librem 5 (or any Linux phone), as these are not really usable, lack essentially every important app and have far worse security than Android or GrapheneOS. There’s a great article about Linux phones: https://madaidans-insecurities.github.io/linux-phones.html

If you want to use GrapheneOS, get a Pixel 6 or newer, because the older models don’t get security updates anymore. The Pixel 6 will be supported until 2026, the 6a until 2027, you can check out the full list out on this site: https://grapheneos.org/faq#device-lifetime

GrapheneOS doesn’t ship any unnecessary bloatware by default, it only comes with stock AOSP applications and no Google services at all. You can install Sandboxed Google Play services from the GrapheneOS Apps repository. For all the other things you need, I recommend searching on F-Droid. It’s a repository of FOSS Android apps that don’t spy on you.

I would really love to keep it as a utility: phone, text, camera, GPS, web browser, notes, email, music player. Im think of switching to local NextCloud backup system as well.

For your use cases I recommend the following apps:

• Simple Dialer

• Simple Messenger

• GrapheneOS includes their own ‘Secure Camera’ app, but it can’t make use of the post processing in the Google Pixel. You can install the normal Google Camera app from the Play Store through Aurora Store (an anonymous way to download apps from Google Play) and revoke it’s network permission in the settings. The network toggle is a feature unique to GrapheneOS.

• For maps and navigation I recommend the following solutions: OsmAnd, Organic Maps and Magic Earth. Magic Earth isn’t open source, but they have a good privacy policy and at least in my experience it’s better than the other solutions.

• GrapheneOS ships with the Vanadium browser, which is a hardened version of Chromium. Vanadium is also used in the WebView API, which other apps use to display web content. If you don’t like to a Chromium-based browser, I recommend Mull which is hardened Firefox.

• For Notes, I really like Notesnook. It’s open-source, available on F-Droid and if you use their cloud sync feature, it’s end to end encrypted. You can also use it locally and revoke it’s network access, so it never connects to the internet, if that’s what you prefer. Standard Notes is another option. It also encrypts you notes database locally. There’s also Simple Notes, which has less features and it’s fully offline.

• K-9 Mail is probably the best FOSS email client. There’s also FairEmail, but the user interface isn’t great.

• Retro Music is an amazing, good looking open source music app. Simple Music is an alternative.

• The Nextcloud app is also available on F-Droid.

• If you’re into self hosting, I recommend Immich for syncing photos.

If you find these apps useful, consider donating to their developers. They deserve a tip for making all of this great software available to everyone.

Hope you find this useful.

A colleague of mine is very happy with the Punkt phone.

For me, the key aspects for selecting the right hardware are the camera and the comunity support. All the other capabillities you listed are available on any phone that has a relatively recent ROM available.

Let’s start with the camera quality: If you want to use your phone without GSF or microG, you could use the camera app that comes with the ROM you flashed. Sometimes, the picture quallity is decent, but often times its lacking. Instead, I would recommend using a modded GCam App together with fake GSF. This way, you can use googles powerful camera app without sacrificing your privacy. So when I’m looking for hardware, I always check, if there is a modded GCam version available.

Aside from that, I would check if there are recent stable versions of the ROM I want, available for the hardware. The last thing I would check is, how active and how big the modding community for that device is. If you can’t find a lot of support on XDA, it’s probably not the best hardware choice to begin with.

When it comes to software, there are a lot of privacy-friendly replacements to choose from, but here is my setup:

• Syncing Contacts and Todos: selfhosted baikal + DavX5 + Simple Contacts + Tasks
• Syncing Photos: selfhosted NextCloud AIO + nextcloud app
• Syncing Notes: selfhosted webdav + Joplin
• Find My Phone functionality: FindMyDevice
• Maps: OrganicMaps
• Speach to text: FUTO Voice
• Synced Music: Selfhosted JellyFin + FinAmp
• browser bookmark sync: selfhosted webdav + floccus

EDIT: GCam and FUTO are not Open Source, but they are free and don’t collect or require any user data

I would let your wallet decide.

phone, text, camera, GPS, web browser, notes, email, music player

GrapheneOS and the Librem 5 can handle this. If I hadn’t bought a phone at the end of 2022 I’d likely go for the Librem 5 unless a used Pixel could be acquired.

I think the only thing you will lose with GrapheneOS is tap-to-pay, if you even use that. Beyond that, if you don’t install GSF or even microG on the device you’re already doing a lot in terms of privacy. You have to look into whether things like Uber would work without GSF (I don’t use Uber so I can’t check).

Are there other hardware suggestions or setups that you like?

I was going to set up a Nextcloud server, but ended up just using Syncthing. I thought I would need that full suite of services, but it turns out my workflow just needs a few directories. I use Markor to take notes and write drafts. Before, I did editing on my phone, but now I wait until I am sat down in front of a computer. Syncthing can run on an old Raspberry Pi and requires very little upkeep.

Another suggestion is to use something like UAD to debloat most any Android phone. It is a bit of a preview of what to expect from many alternative ROMs. You need to switch to OSM and use a different calendar app and possibly a different camera app, contacts, keyboard, etc. and you’ll notice very quickly that…nothing really changes except maybe battery life.