That's utter nonsense. Open-source doesn't necessarily mean private or secure. In fact it's quite easy to build an open-source app with a bugdoor which is very unlikely to be found just by looking at source code, especially if you use memory-unsafe languages, as long as it's not just a tiny code base. The things I mentioned are important security measures and shouldn't be neglected just because you run open-source apps. They are the basics of modern secure OS's.
Btw GrapheneOS and other Android OS's run with the Linux kernel, so technically they are Linux even though they aren't called this way.
Linux phones lack in all aspects compared to AOSP: security and privacy enforcement (mandatory sandboxing, permission control, full-system MAC, verified boot), usability and compatibility with the mobile app ecosystem. The much better approach would be to get a Google Pixel and install GrapheneOS. This will get you a very secure and private smartphone with almost perfect Android app compatibility. Recommend reading about Linux phones on madaidans-insecurities.github.io