I made it a privileged permission because that's a standard Android thing to gate things (such as reading of IMEI) - My thought process being that if you somehow managed to get around privileged permissions, we have much bigger problems than signature spoofing.
Yeah I agree, it's a good compromise and I definitely use MicroG despite that (though not on Calyx but Lineage for MicroG, as I don't have a Pixel phone). I think the Calyx precautions are more than adequate. And better than Lineage's.
I just wanted to highlight the difference in focus, GrapheneOS will always pick the security side when a compromise needs to be made. Another example is the "We don't lie about security features" stance about SafetyNet. Even though a GrapheneOS phone is arguably more secure than a random manufacturer-modified Android rom. I agree that signature spoofing has an unnecessarily bad name. Probably because some mainstream roms like Lineage eschewing it. Personally I think it's a great tradeoff between privacy and functionality.
The concerns usually raised against that are due to the "default" patch included in their repository, which has a specific purpose.
We don't use that, https://calyxos.org/about/tech/microg/ are the precautions we take to try and prevent abuse.
I made it a privileged permission because that's a standard Android thing to gate things (such as reading of IMEI) - My thought process being that if you somehow managed to get around privileged permissions, we have much bigger problems than signature spoofing.