So what happens, if someone installs GrapheneOS, enables this option and request the source code for a GPLv2 licensed kernel patch? I mean, GPL forces you to provide the sources code.

Then you can either comply and hand out source code, which is still under an embargo, or your right to distribute Android kernels are void.
Both options seem to be bad.

@dideldum GrapheneOS closely follows along with the upstream Linux kernel.org LTS releases via the Android GKI LTS branches. You can see more of those regular updates in our latest regular release:

grapheneos.org/releases#202510…

Linux kernel patches don't come from the Android Security Bulletins. They do list a tiny subset of upstream Linux issues in the YYYY-MM-05 patch level we've always already patched months earlier.

Non-mainline Pixel kernel driver patches come from Pixel GPL source releases.

GrapheneOS releases

Official releases of GrapheneOS, a security and privacy focused mobile OS with Android app compatibility.

^GrapheneOS

@dideldum We don't get early access to new Pixel drivers or firmware. Those still come from the stock Pixel OS and AOSP releases. We get early access to the Android Security Bulletins. When the Android Security Bulletins reference core kernel patches, those are already publicly available either upstream or in the Android GKI repositories.

ASBs have a list of some vendor related patches for drivers, firmware, etc. but it's not distributed through it but rather through from the hardware vendors.