Here is some more insight: There are three main parts on your phone which contain security problems:
- Android itself (AOSP, Lineage OS etc)
- The kernel
- Firmware like the modem
Problems in category 1 get fixed by the linageos team and no extra effort is needed. That’s also why they bump up the patch level after fixing all security problems which were updated in AOSP and ported to lineageos. These are things like holes in media playback, the basic frameworks, the browser etc.
Unfortunately every device (or a group of devices) has its own kernel in lineageos. That’s the android_kernel_fairphone_msm89748 repository mentioned above. This means that the maintainers of a device need to fix security exploits in the kernel themselves. This service is not provided by the lineageos (core) team. Since there is only one security patch level displayed to the user and that is updated by the lineageos core team, it is possible that a lot of security fixes have not been applied to the kernel of a device.
That being said it actually looks pretty good for FP2. If you look at the commit history here, you can see that @chrmhoffmann does a good job of merging the latest releases from fairphone into the LineageOS Kernel for the FP2.
The third class of problems is in the firmware of the device. This includes the modem as well as wifi and other firmware. They are nearly always binary only and can only be updated by the chipset manufactures.
There is two places those firmware “blobs” can reside: The parts integrated into the ROM get updated by the maintainers (for FP2 see here)
For things like the modem which reside on their own storage partition, the end user is required to update those by hand. The official releases by Fairphone do this automatically, but it is not allowed to redistribute those files, so LineageOS can’t update them for you.
What I do is track the changes in FP Open OS, download every release they make and manually fastboot flash all the files except for recovery, system and data. A less error prone way is to follow the process described here: ✏ FP2 modem firmware
My conclusion? Don’t trust the security level shown in LineageOS. Each month there are a lot of security problems described in the Android security advisory. Some are in AOSP, some are in the kernel and some are in the firmware. All these get fixed eventually if you use the official Fairphone releases and they are very open about this. E.g. some of the bugs (in the firmware) can only be fixed by the hardware manufacturer and fairphone has to wait. That’s why they often don’t update the patch level to the current month, even though most bugs have been fixed. Just because they are missing a couple from their suppliers.
On LineageOS nobody cares if the kernel was updated or not. Same for the firmware. The security patch level gets updated for all devices. It only reflects the state of category 1 problems mentioned above.
What can you do? Update your LineageOS regularly and install the latest firmware/modem updates. This way you will have a more secure system than 99% of the android users out there.