Paranoid Android has NO additional security mechanisms over AOSP. It's based on CM with added UI/UX features. The name is not indicative of the type of ROM it is.
CopperheadOS is what you want if you're concerned about security.
To be honest, you should probably not recommend something as secure if you have not fact-checked to make sure that the thing you have recommended actually emphasizes security at a minimum.
While I am happy Copperhead OS is around, it only supports a very limited set of Nexus devices. Back in the pre-Signal days Open Whisper Systems started their own work on an Android fork called WhisperCore. I'm curious if any of the features from WhisperCore ever made it into a new ROM, or if it was all quietly abandoned.
It was all abandoned, but many similar features made it into CM. Things like separating the seeding passphrase/PIN/pattern for FDE from the lockscreen and lockscreen PIN randomization were once features in CyanogenMod.
The former, FDE key separation, feature is gone and you'll need to either use adb or a 3rd party application [0] to achieve it.
It shouldn't be too hard to pull kernel patches from CopperheadOS and apply it to a clean AOSP tree for different devices -- this is obviously after they have done all the heavy lifting.
As you've been using nightly builds, you haven't been using Cyanogen, but been running Cyanogenmod. CyanogenOS is closed source fork of Cyanogenmod. Available for only certain devices. That means that Cyanogenmod is actually a good alternative to Cyanogen
Nothing about paranoid android was security oriented to my memory. They used to have some cool features like HOLO and dynamic DPI switching, but basically lost all of that as android versions came out and they didn't keep up.
http://en.miui.com has some nice UX
http://paranoidandroid.co is nice if you want security
http://aokp.co has been around for years and stays cutting edge