Protection from zero-days
Prevents many vulnerabilities and makes exploits harder.
Hardened C standard library and compiler toolchain
Catches memory corruption and integer overflows.
Kernel self-protection and high quality ASLR.
Stronger sandboxing and isolation for apps & services
Stricter SELinux policies, seccomp-bpf and more
Backported security features and quicker patching
Benefiting from upstream changes long before stock
Firewall & network hardening
Along with improvements like MAC randomization
Source-available and free of proprietary services
Uses alternatives to Google apps/services like F-Droid
Security-centric user experience changes
Better defaults, finer-grained permission control