Start where it hurts the most, what are key features missing in iOS and Android? Enterprise grade security with publicly audited code. For that you need to release all software with a 3-way-license. What software and services are key to such effort and what would be a gamechanger? Make the OS a client with offline capabilities. In an ideal setup, I just login to a new or random phone, it syncs with my own service-server or Jolla-server(for $user required) and after the sync I have everything I had on my lost phone, including but not limited to certificates, pgp-keys, networks, vpn and other settings. Additionally you may add content like video/audio/pictures. The most sane ways I see as a solution are either default full device encryption or have all security relevant data in a container that is read once after boot and as is synced to a server - it might even be on sdcard or synced publicly as it is encrypted. Plain settings and services are some xml and size is not a factor as long as regular files are either separated or already in the base system. For that all installed (security) software needs to follow strict rules.

Also services like secure texting and filetransfer are a must have, sure it will need another server infra + clients for android and iOS and the others, but as it is open-source anyone can port it to whatever platform (desktop clients are always asked for), or you could use something already existing.

From what we have now, this is getting thevault to become a service instead of a settings feature. Everything else can or should be implemented around said service.

A second layer of security can be added on top later, like NFC yubikeys or authentication service with Jolla for recovery purposes.

I can go on and on about what way it could go after that but for now, I see a fire and forget approach a good idea, people do not want to have themselves look after their devices, they never do - so that is what I would start with, attack the service flaws.

And drop android support, it is a security flaw and prevents developers from porting with notes like "my android version works fine"