anarchosax
Google location tracking in latest version of GrapheneOS.
GrapheneOS doesn't use Google services by default.
Location services Wi-Fi scanning and Bluetooth scanning are off.
They're disabled by default and don't do what you seem to believe they do. These toggles only control whether apps given the Location permission can use it when Wi-Fi and Bluetooth are disabled. They don't give apps access to location data which don't have it.
Only three apps are allowed to determine my location (EasyPark, Forecastie, and Organic Maps - only when used), none of which were used yesterday.
You can see which apps have the Location permission granted in the privacy dashboard. It only shows when it was last accessed.
No apps are allowed location info all of the time.
Allowing while in use means they can use it when they're in the foreground, not just when explicitly started by you. The allow once setting is the best approach for privacy.
Despite this I received a notification from Google that it has registered that I am using a new device
You installed sandboxed Google Play and logged into an account. That's an expected result of it.
and it provided me with a very detailed route of my comings and goings yesterday.
This implies you've granted the background Location permission to Google Maps and enabled the Location permission toggle.
How can that be, when Google services are sandboxed?
It works exactly the same way as other apps. You're allowed to grant the Location permission to Google Play and Google Maps, which appears to be what you've done. It's either that or you're using another device.
This is setting off all sorts of warning lights and alarms for me, as I don't want Google to be able to track my every movement.
What you've posted doesn't appear to be correct and you've overlooked something you've configured.