I’m aware this topic may not be Sailfish OS related at all but assuming SFOS users to be more privacy focused than your regular Android/iOS TikTok addict this may be an interesting read regardless:
Amnesty International - Forensic Methodology Report: How to catch NSO Group’s Pegasus
Does anyone know if SFOS would be affected by this?
Are Android vulnerabilities carried over to SFOS in this sense?
@unmaintained Thank you for asking this question. This topic IS SFOS related!
I was now visiting the forum to ask exactly the same question, but you were faster 
So I’m also very interested to learn more about this, which Android parts and Android vulnerabilities are still remaining in a SFOS flashed phone.
edit: … in three cases:
also, how far can an infected Android app get access to the SFOS system and spy out something or damage it.
Well, I don’t know about actual damage, but an infected Android app running under SFOS AlienDalvik can certainly wreak havoc with native apps. See Native Browser Malware/Virus - #51 by pasik