Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.
Thinking about it, in such a scenario buying used may even be safer
A valid excuse may be that they want to prevent GPS spoofing
Can the user access the app file itself? Not acceptable
This is possible on any Android phone, no root or custom rom required
Time to switch away from Auth I guess. Not even using GrapheneOS cause I have a Samsung phone, but this is not acceptable
Yes, this would only be a concern for targeted attacks by state actors, in which case not even buying new would be safe.
Thinking about it, in such a scenario buying used may even be safer