Stock Android with ‘Google Play Services’ represent the biggest evil of all for me. Google Play Services, a bundle of proprietary background services and APIs for Android devices, is Google’s monitoring bug (spy buggy). Google Play Services have been known for years to transmit personal data from users or Android devices to Google. A study of The School of Computer Science and Statistics, Trinity College Dublin, The University of Dublin, reveals data theft. This 
study reveals how invasive this data transfer is. Current versions of Google Play Services send the following information to Google every 20 minutes: IP address, device IMEI, hardware serial number, SIM card serial number, handset phone number, the WiFi MAC address and user email address, app user statistics. This basically affects all Android users who have Google Play Services installed on their device.
LineageOS in combination with MindTheGapps, Open GApps, etc. is also affected. LineageOS Wiki writes: »Google apps are the proprietary Google-branded applications that come pre-installed with most Android devices, such as the Play Store, Gmail, Maps, etc. Due to licensing restrictions, these apps cannot come pre-installed with LineageOS and must be installed separately. The Google apps are not required to boot or run LineageOS, however many users find them beneficial to take full advantage of the Android ecosystem.«
These apps have been packaged by developers independent of LineageOS, and download links have been provided for your convenience only. […] The Google apps packages are not supported in any way by LineageOS.
DivestOS and GrapheneOS are strictly against “Google apps or services”. CalyxOS and iodéOS let you choose whether to enable microG or not during the initial setup. Other CustomROM, such as Havoc-OS or CarbonOS, let the user choose whether to work without ‘services’, with Google services or microG services. All ROM philosophies are a good thing and have their justification, so there is plenty of choice for responsible users. However, those who need ‘services’ have the choice between permanent data theft or a so-called “a basic security function”.