You'd give the duress password before you get pipewrenched.

And once it's wiped there's no point in them pipewrenching you because its too late.

From the link:

GrapheneOS aims to provide harm reduction releases for devices which only have a minimum of 3 years support. Extended support updates at minimum will be done until the next Android version.

Emphasis mine. That quote does not imply they will provide an additional 3 years of support, only that they will offer the harm reduction updates from the end of official OEM support until the next version of Android is released.

I have personal experience with this, as my quite old Pixel 4a received harm-reduction updates from GrapheneOS for an additional few months into 2024 until the next version of Android was released, but that did not result in years of support. It is now completely unsupported, and has a warning on every bootup that says as much.

Further along they then say:

It is likely that we will make a decision around harm reduction releases for other devices with longer lifetimes in Q4 2024.

This implies they may actually stop doing post-support harm reduction updates for the newer devices that have longer support lifetimes from Google.

The following devices are end-of-life, no longer receive firmware or driver security updates, and receive extended support from GrapheneOS via a legacy branch based on Android 14 with only the Android Open Source Project security backports, certain other security patches, and other minimal changes to keep them working:

• Pixel 5a (barbet)
• Pixel 5 (redfin)
• Pixel 4a (5G) (bramble)

The following devices are end-of-life, no longer receive firmware or driver security updates, and receive extended support from GrapheneOS via a legacy branch based on Android 13 with only the Android Open Source Project security backports, certain other security patches, and other minimal changes to keep them working:

• Pixel 4a (sunfish)
• Pixel 4 XL (coral)
• Pixel 4 (flame)

As an owner of a 4a, I can tell you with confidence that my device has not received an update in any form for many, many months now. It is effectively unsupported, and certainly is insecure in comparison to a Pixel 6 or newer.

The GrapheneOS developers themselves have stated in their forum that they will no longer provide extended support beyond the Pixel 5a, and that the extended support it has is already effectively insecure:

You should already be treating it as if it's not receiving updates anymore, since that's largely the case already.

Providing extended support doesn't fit with the way we do things at all and is ending after the Pixel 5a. It's a temporary compromise for harm reduction through existing users at least getting some of the patches despite not moving to a secure device. When this topic comes up in this way, it hints to us that we may be doing more harm than good through people continuing to use an insecure devices. We'll certainly stop doing it with the 5 and 7 year support devices.

A day ago, a GrapheneOS dev said of the Pixel 4a:

It's unsafe to continue using the Pixel 4a. It lacks basic security updates. Pixel 4a was launched August 2020 so it's at the 5 year point. It was a budget device, not a flagship. It was launched with 3 years of support, unlike 8th/9th gen Pixels with 7 years of support from launch or the prior 6th/7th gen Pixels with 5 years of support from launch.

So for the Pixel 4, it effectively received about an extra year and half of tenuous support. The Pixel 5 will receive a few more months of tenuous extended support, then there will be no extended support for any future devices, meaning users will have to upgrade at the end of Google's official support cycle for each device.

Pixel 4a legacy support - GrapheneOS Discussion Forum

GrapheneOS discussion forum

^{GrapheneOS Discussion Forum}