(I am afraid I have never actually used stock Android, thus it gets no mention here.)
I have been using CyanogenMod aka CM (recently morphed into LineageOS) for several years on several different mobile phones and tablets. While really liking CM's lack of Google spyware (for masochists, optionally installable!) and other security improvements like fine-grained post-install app permissions, I really did not like the casual attitude towards security updates -- if they were even provided, ever, they came in the form of undocumented nightly builds that were just thrown over the wall -- a common Android disease, it seems. I just could not bring myself to trust the CM updates.
Enter CopperheadOS, a real, living and breathing security-focused Android fork. Not trying it was not an option, so I obtained a slightly used Nexus 6p off of Taobao.com for slightly north of US$200 and flashed it with CopperheadOS. I have been using it for the better part of a month now, and the most obvious improvement is the frequent / aperiodic OS updates. I have already received five.
It is still very difficult to find out what changes / changed behavior to expect with each update, but a close reading of the CopperheadOS blog leaves one with a really warm feeling that the updates are well-tested and trustworthy. The blog also goes on at great length about the many low-level security improvements (relative to stock Android) throughout. They have further had many of the performance-neutral improvements already incorporated by Google upstream. (Note that the many improvements that call for a performance hit in favor of greater security probably make a CopperheadOS device not a great choice for gaming, though I personally so far have no complaints about the performance of my Nexus 6p.)
Permission granularity: both CopperheadOS and CM come with built-in post-install control of app permissions. (Ie. one can install an app that has intrusive install-permissions, and then after it is installed used the OS tools to reverse / turn-off some or all of these permissions.) CM has an edge here because it includes more permissions, giving a feeling of really fine-grained control. CopperheadOS pulls ahead a bit in the UI, as the integration of permission control is more intuitive / easier to use.
Root: not an option with CopperheadOS unless you build your own from source. Several years of CM have made me very comfortable with all the advantages of having root, most notably being able to implement a per-app network firewall with AFWall, for instance. AFWall is so far the only thing I can definitively, painfully say I have lost in CopperheadOS due to this restriction, though it must be said that not being able to get root in file manager is sometimes also quite a time-consuming PITA. And I might someday regret not being able to use something like NTPsync.
Power consumption: so far excellent on my Nexus 6p. CM has always been a bit spotty in this department. I have had a couple devices on which CM was a real battery killer.
Storage encryption: happens by default at install time with CopperheadOS, must be turned on after the fact with CM. Most notably, CopperheadOS has disentangled screen-unlocking from boot-time decryption passwords. So in fact one can use a really long password at boot time, and then the finger-print reader for screen unlocking only. (Nitpick: if you choose a "pattern" password rather than a text password for boot-unlocking, you only get max a 3x3 pattern. CM permits choosing much larger [up to 6x6] and more complex patterns.)
Another great choice on the part of CopperheadOS was the very minimalist and well chosen list of default apps after the initial install. I wish I had taken a screen shot, but as I recall there were only about a dozen. And what there were were exactly things I would have wanted anyway (and with CM I would have had to manually install). Apps like Silence and FDroid, for instance.