Yes, that is too old for a new phone considering it's already past its end-of-life for both official support and your OS. I'm not sure why you'd recommend them to buy new either - a phone like that is only going to be good value if you pick up a used one for cheap. A new model will be massively overpriced for what it is (and may not even be new, just refurbished and repackaged).

What's the OS we can't talk about?

The Google Pixel 4a is officially end-of-life and doesn't get any software and security updates anymore (https://endoflife.date/pixel).

The one we can't talk about...

I don't get it ? Why can't we say it's name ?

I think it's a bit too old, if you want to stay in the pixel ecosystem maybe try to grab a 6, 6a or 6 pro. They are around $250, and they are great!

I'm using a 4a right now which I bought last year, refurbished. It's a great phone and has a headphone jack. If you're concerend about updates, install an alternative OS. If you want to degoogle that should be the path anyway.

4a is end of life already, so no firmware updates from Google. GrapheneOS has legacy builds available for it but doesn't recommend using them, and they might go away anytime soon

get a used device which is still properly supported, don't buy brand new e-waste

You can install LineageOS or e/OS on it (instead of Graphene, if that's too controversial), and then the 4a is a good phone to use.

I bought a used Pixel 5 in Feb for my daily driver. Replaced my Pixel 3 only because the power button was flaky. They both still run great. By my standards, getting two years out of a phone I paid $150 for is better than getting three years out of a $700 phone.

Depends on your friends threat model, lineage will work on it.

No security updates makes the Pixel 4a a bold choice for your main phone. I don't recommend it

I would follow the graphene OS recommended phone guide, that gives you maximum flexibility to put any operating system you want on the phone.

I have a Pixel 3a, and I love it. I also have a Pixel 4a and love that one too

I bought a Pixel 5a, and hated it. I think the 4a is the best phone on the market right now. Great price, great support in Lineage, and its not too big and heavy.

tangential: I‘m using a oneplus 6 with postmarketOS but depending on your friend‘s it skills, it might not be ready for him yet.

So far its very usable but I suggest someone must want to swim against the current and do things differently. One could say a „pioneer“ type would be ideal for this.

Writing from a 3 years old 4a running CalyxOs: the phone is a perfect choice if you want a small sized phone with a 3.5mm jack and that gets constant updates. The camera might be a little better but I don't take many pictures so I don't mind.

It goes for like $80-120 in my country. For the price it's an interesting deal but it's extremely old so GrapheneOS won't support it. I think you can still find something like LineageOS or crDroid but tbh it's too old for a new daily driver. Lack of firmware updates will kill custom ROMs due to incompatibility with new Android versions eventually (and most likely very soon).

Compact phones are dead now and the last ones don't even seem to support degoogled custom ROMs. You're out of lack with that.

After my 6 year old Redmi 4X's screen touch decided to die, I got an opened-not-used Pixel 4a (in perfect condition) at the end of 2022, because it was one of the few small-ish phones that had good modding support (Pixel phones are ofc known to be very good to degoogle). I love it. Feels good, works well, has a great camera (got a GCam mod too), etc. Only downside is the smaller battery (3100 vs 4100 mAh), but honestly it isn't that big of a deal, I can just carry a powerbank on my backpack or, you know, use my phone less.

Back then, it was the perfect choice for me. Now, I don't know, haven't been keeping up with current models.

Can someone explain to me under what circumstances would using an old phone be risky (under a common reasonable threat model)?

Used Pixel 6, 6 Pro, 7 and 7 Pro can be found for reasonable prices these days. One of those in good condition would be a better buy because you'll still get security patches for a while. Last time I looked, the third party OSs for Pixel phones only supported them for as long as Google did.

I am far from unbiased as I just switched back to my pixel 4a from my new Sony Xperia. I think the Pixel 4a is a flat out GREAT phone, full stop. It is perfectly sized IMO, has been very reliable, good battery life (though at this point I should look into replacing the battery), and it has a headphone jack. That being said, picking it as a new phone now essentially means going with a custom rom and hoping it stays supported. That's fine and all, but it's not something most people want. Just to be clear, the xperia isn't a bad option per se, I only switched back because the phone came carrier locked when it was supposed to be unlocked and the carrier it was locked to was uncooperative so I refunded it.

It is currently not being updated

Yes, it is. You should not recommend such a phone. And this only in terms oft update.

The arguments against the company behind this phone would Film books, but that's another point