dandelion9536 Vandium doesn't protect against fingerprinting and a lot of Apps use Vandium for WebView. What this means is that your phone may not keep your profiles completely unlinked. There is one Media DRM ID for the entire phone and it will never change. Graphene is very secure and hard to hack. If you were a good hacker and someone has a Graphene phone and you want to hack them, it may be a harder, although not impossible, OS to get into. There may be 0day exploits for that Graphene's team doesn't know about, but they probably won't be used on you.
So my Graphene OS phone may have been hacked while I was connected to a Tor node because my Contacts were pulled open. But my contacts were empty so it didn't matter. It's possible it was accidentally opened, but I think it was hacked by a malicious tor node.
With Graphene you are protecting yourself from some data collection and some easier exploits. State level actors can likely break in. If you open Apps in multiple profiles, and they do sophisticated fingerprinting, they likely can link profiles.
So for OpSec, you should use different profiles for different things so that they are isolated in case there's a hack, but know that the profiles can be linked. The cellular is isolated but if there are exploits in that isolation that the cellular modem could be a vector for being hacked. Your bluetooth will identify your phone and if it's linked to you once, it will always be your bluetooth and that doesn't vary like MAC address randomization.
It is very hard for others to break into Graphene, much harder than into non-Graphene, if it's at rest. They are trying to find ways to break in, Graphene devs are also updating the OS all the time. There is some risk someone could break in, but it's lower.
Use FOSS as much as possible so you know what your Apps are doing and if you have to use anything else, and it's linked to you, then all profiles are now linked to you because the tracking technology won't look that different in different profiles.